Advisory 12/2006: phpMyAdmin - error.php XSS Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hardened-PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: phpMyAdmin - error.php XSS Vulnerability
Release Date: 2006/11/02
Last Modified: 2006/11/02
Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]
Application: phpMyAdmin <= 2.9.0.2
Severity: XSS vulnerability in an error displaying script
Risk: Medium Critical
Vendor Status: Vendor has a released an updated version
References: http://www.hardened-php.net/advisory_122006.137.html
Overview:
Quote from http://www.phpmyadmin.net
"phpMyAdmin is a tool written in PHP intended to handle the
administration of MySQL over the Web. Currently it can create and
drop databases, create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields, manage privileges,
export data into various formats and is available in 50 languages."
It was discovered that phpMyAdmin comes with a script to display
error messages that supports displaying the error in a user supplied
charset. Unfortunately the encoding of the error message is not
taking the charset into account which can result into XSS when UTF-7
is selected. (Other charsets like US-ASCII can also be used to
exploit this in some browsers.)
To trigger this XSS vulnerability an attacker just needs to call
the error displaying script with charset=utf-7 and utf-7 encoded
HTML tags in the error message.
Proof of Concept:
The Hardened-PHP Project is not going to release exploits for
this vulnerability to the public.
Disclosure Timeline:
18. October 2006 - Contacted phpMyAdmin developers by email
01. November 2006 - Updated phpMyAdmin was released
02. November 2006 - Public Disclosure
Recommendation:
It is strongly recommended to upgrade to the newest version of
phpMyAdmin 2.9.0.3 which you can download at:
http://www.phpmyadmin.net/home_page/downloads.php
GPG-Key:
http://www.hardened-php.net/hardened-php-signature-key.asc
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2006 Stefan Esser. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFSbPtRDkUzAqGSqERAkcTAJ49t9pfmuBAyvk0UcHuhZe/6cu48gCgp3ea
HoIvssTE/gfvQyAY3BcOhwQ=
=70mU
-----END PGP SIGNATURE-----