Advisory 12/2006: phpMyAdmin - error.php XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Advisory 12/2006: phpMyAdmin - error.php XSS Vulnerability
From: Stefan Esser <sesser@xxxxxxxxxxxxxxxx>
Date: Thu, 2 Nov 2006 09:10:38 +0100
Cc: red@xxxxxxxxx
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mutt/1.5.8i

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-


     Advisory: phpMyAdmin - error.php XSS Vulnerability
 Release Date: 2006/11/02
Last Modified: 2006/11/02
       Author: Stefan Esser [sesser@xxxxxxxxxxxxxxxx]

  Application: phpMyAdmin <= 2.9.0.2
     Severity: XSS vulnerability in an error displaying script
         Risk: Medium Critical
Vendor Status: Vendor has a released an updated version
   References: http://www.hardened-php.net/advisory_122006.137.html


Overview:

   Quote from http://www.phpmyadmin.net
   "phpMyAdmin is a tool written in PHP intended to handle the 
   administration of MySQL over the Web. Currently it can create and 
   drop databases, create/drop/alter tables, delete/edit/add fields, 
   execute any SQL statement, manage keys on fields, manage privileges,
   export data into various formats and is available in 50 languages."

   It was discovered that phpMyAdmin comes with a script to display
   error messages that supports displaying the error in a user supplied 
   charset. Unfortunately the encoding of the error message is not 
   taking the charset into account which can result into XSS when UTF-7 
   is selected. (Other charsets like US-ASCII can also be used to 
   exploit this in some browsers.)
   
   To trigger this XSS vulnerability an attacker just needs to call 
   the error displaying script with charset=utf-7 and utf-7 encoded
   HTML tags in the error message.
   

Proof of Concept:

   The Hardened-PHP Project is not going to release exploits for
   this vulnerability to the public.


Disclosure Timeline:

   18. October 2006    - Contacted phpMyAdmin developers by email
   01. November 2006   - Updated phpMyAdmin was released
   02. November 2006   - Public Disclosure


Recommendation:

   It is strongly recommended to upgrade to the newest version of
   phpMyAdmin 2.9.0.3 which you can download at:

   http://www.phpmyadmin.net/home_page/downloads.php
   

GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFSbPtRDkUzAqGSqERAkcTAJ49t9pfmuBAyvk0UcHuhZe/6cu48gCgp3ea
HoIvssTE/gfvQyAY3BcOhwQ=
=70mU
-----END PGP SIGNATURE-----

Prev by Date: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
Next by Date: Firefox 1.5.0.7 Exploit
Previous by thread: Re: how to trick most of cms avatar upload filter [exemple for : RunCms (PoC)]
Next by thread: Firefox 1.5.0.7 Exploit
Index(es):
- Date
- Thread