Thursday, 29 September 2011

Stored XSS in phpMyAdmin 3.4.5-all-languages *update*17.10.2011*

Like I said in one post below, few days ago I wrote my own source code security scanner.
Yesterday it found a new 'possible insecure' parameter in new phpMyAdmin (3.4.5).
Here is a quick note about it:

1. goto http://phpMyAdmin-3.4.5-all-languages/setup/index.php
2. Go to 'New server'
3. vulnerable is (could be) $value, be cause:
when you type 'Save' PMA is going to:
http:///phpMyAdmin-3.4.5-all-languages/setup/validate.php (here is $value param).
Content of thi $param should be:

(... this is 'name of the server')
btw: doing research using Data Tamper I check the vulnerable parameter is $Servers-0-verbose in PMA/setup/index.php.
Anyway I dont saw any of this in PMA/setup/index.php (or either in all *.php files located in PMA directory.
So next I decide to search via grep:

so I think vuln is right here ;)

Testing is in progress, so this post will be updated soon...

2.10.2011 * So update here *
It looks like PMA does not validate some "Server-*" parameters.
Vulnerability exist in :
Server-0-verbose <-here will be XSS (upper in this post)
Server-0-host <- here will be vulnerable too

File ./setup/validate.php contains unpropper validation for $value.
Code of XSS placed here is forwarded to ./setup/index.php as a parameters.
And whats next:

to parameters AFTER You click 'Forward' for validate.php try to put the same value (script,etc...) to ./setup/index.php :)


Update: released the patch for this vuln. Check it out, and try a new version of this amazing webapplication :)

Details here .

*** Important thing *** I really recommend cooperation with PMA Team. People know what they're doing, and doing it fast! Good job! :)

No comments:

Post a Comment

What do You think...?