phpMyAdmin 'libraries/header_http.inc.php' Lets Remote Users Conduct HTTP Response Splitting Attacks
|
|
SecurityTracker Alert ID: 1015213
|
|
SecurityTracker URL: http://securitytracker.com/id?1015213
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Nov 15 2005
|
Impact: Disclosure of system information, Disclosure of user information, Modification of system information
|
Version(s): 2.7.0-beta1; possibly other versions
|
Description: A vulnerability was reported in phpMyAdmin. A remote user can conduct HTTP response splitting attacks. A remote user can also determine the installation path.
If register_globals is enabled, a remote user can submit a specially crafted URL for the 'libraries/header_http.inc.php' script to
cause the target server to return a split response. A remote user can exploit this to spoof content on the target server, attempt
to poison any intermediate web caches, or conduct cross-site scripting attacks.
A remote user can directly access the following
files to cause the system to disclose the installation path:
libraries/string.lib.php
libraries/storage_engines.lib.php
libraries/sqlparser.lib.php
libraries/sql_qu
ery_form.lib.php
libraries/select_theme.lib.php
libraries/select_lang.lib.php
libraries/relation_cleanup.lib.php
libraries/left_header.inc.php
libraries/import.lib.p
hp
libraries/header_meta_style.inc.php
libraries/grab_globals.lib.php
libraries/get_foreign.lib.php
(get_foreign.lib.php?field=foo&foreigners[foo]=foo)
libraries/di
splay_tbl_links.lib.php
(display_tbl_links.lib.php?doWriteModifyAt=left&edit_url=foo)
libraries/display_import.lib.php
libraries/display_export.lib.php
libraries/dis
play_create_table.lib.php
libraries/display_create_database.lib.php
libraries/db_table_exists.lib.php
libraries/database_interface.lib.php
libraries/common.lib.php
l
ibraries/check_user_privileges.lib.php
libraries/charset_conversion.lib.php
(charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recoding=true)
libraries
/sqlvalidator.lib.php
(libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE)
libraries/import/sql.php
libraries/fpdf/ufpdf.php
libraries/auth/cookie.auth.lib.ph
p
(libraries/auth/cookie.auth.lib.php?coming_from_common=true)
Toni Koivunen of fitsec.com reported this vulnerability.
The
original advisory is available at:
http://www.fitsec.com/advisories/FS-05-02.txt
|
Impact: A remote user can create a URL that, when loaded by the target user, will cause arbitrary content to be displayed.
A remote user
may be able to poison any intermediate web caches with arbitrary content.
A remote user can determine the installation path.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.phpmyadmin.net/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Toni Koivunen <toni.koivunen@fitsec.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 15 Nov 2005 13:53:50 +0200
From: Toni Koivunen <toni.koivunen@fitsec.com>
Subject: [Full-disclosure] [FS-05-02] Multiple vulnerabilities in phpMyAdmin
|
===============================================================================
_________________________________________
Security Advisory
_________________________________________
http://www.fitsec.com/advisories/FS-05-02.txt
_________________________________________
Severity: Low/Medium
Title: Multiple vulnerabilities in phpMyAdmin
Date: 12.11.2005
ID: FS-05-02
Author: Toni Koivunen (toni.koivunen (at) fitsec.com)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Background:
phpMyAdmin is a tool written in PHP intended to handle the
administration of MySQL over the Web. Currently it can create and drop
databases, create/drop/alter tables, delete/edit/add fields, execute any
SQL statement, manage keys on fields.
Affected versions:
Atleast 2.7.0-beta1, most likely others versions also.
Description:
Vuln 1:
Full Path Disclosures in the following files:
libraries/string.lib.php
libraries/storage_engines.lib.php
libraries/sqlparser.lib.php
libraries/sql_query_form.lib.php
libraries/select_theme.lib.php
libraries/select_lang.lib.php
libraries/relation_cleanup.lib.php
libraries/left_header.inc.php
libraries/import.lib.php
libraries/header_meta_style.inc.php
libraries/grab_globals.lib.php
libraries/get_foreign.lib.php
(get_foreign.lib.php?field=foo&foreigners[foo]=foo)
libraries/display_tbl_links.lib.php
(display_tbl_links.lib.php?doWriteModifyAt=left&edit_url=foo)
libraries/display_import.lib.php
libraries/display_export.lib.php
libraries/display_create_table.lib.php
libraries/display_create_database.lib.php
libraries/db_table_exists.lib.php
libraries/database_interface.lib.php
libraries/common.lib.php
libraries/check_user_privileges.lib.php
libraries/charset_conversion.lib.php
(charset_conversion.lib.php?cfg[AllowAnywhereRecoding]=true&allow_recoding=true)
libraries/sqlvalidator.lib.php
(libraries/sqlvalidator.lib.php?cfg[SQLValidator]=use=TRUE)
libraries/import/sql.php
libraries/fpdf/ufpdf.php
libraries/auth/cookie.auth.lib.php
(libraries/auth/cookie.auth.lib.php?coming_from_common=true)
Vuln 2:
Http Response Splitting in libraries/header_http.inc.php
The script doesn't check for direct access. If register_globals
is on, it is possible for a remote attacker to cause http
response splitting.
Impact:
A remote attacker could exploit this to learn installation paths on
server.
The HTTP Response splitting vulnerability can lead to user compromise
amongst other things.
Status:
12.11.2005 Vulnerabilities found
Acknowledgements:
To the community at dievo.org, keep it up :)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
|
|
