Like I said in one post below, few days ago I wrote my own source code security scanner.
Yesterday it found a new 'possible insecure' parameter in new phpMyAdmin (3.4.5).
Here is a quick note about it:
1. goto http://phpMyAdmin-3.4.5-all-languages/setup/index.php
2. Go to 'New server'
3. vulnerable is (could be) $value, be cause:
when you type 'Save' PMA is going to:
http:///phpMyAdmin-3.4.5-all-languages/setup/validate.php (here is $value param).
Content of thi $param should be:
(... this is 'name of the server')
btw: doing research using Data Tamper I check the vulnerable parameter is $Servers-0-verbose in PMA/setup/index.php.
Anyway I dont saw any of this in PMA/setup/index.php (or either in all *.php files located in PMA directory.
So next I decide to search via grep:
so I think vuln is right here ;)
Testing is in progress, so this post will be updated soon...
2.10.2011 * So update here *
It looks like PMA does not validate some "Server-*" parameters.
Vulnerability exist in :
Server-0-verbose <-here will be XSS (upper in this post)
Server-0-host <- here will be vulnerable too
File ./setup/validate.php contains unpropper validation for $value.
Code of XSS placed here is forwarded to ./setup/index.php as a parameters.
And whats next:
to parameters AFTER You click 'Forward' for validate.php try to put the same value (script,etc...) to ./setup/index.php :)
17.10.2011
Update:
www.phpmyadmin.net released the patch for this vuln. Check it out, and try a new version of this amazing webapplication :)
Details here .
*** Important thing ***
I really recommend cooperation with PMA Team. People know what they're doing, and doing it fast! Good job! :)
No comments:
Post a Comment
What do You think...?