Дополнительная информация

Ежедневная сводка ошибок в Web-приложениях (PHP, ASP, JSP, CGI, Perl )

[SA22690] Yazd Discussion Forum Two Security Bypass Issues

FreeWebshop.org Script <= 2.2.2 Multiple Remote Vulnerabilities

MODx CMS 0.9.2.1 (base_path) Remote File Include Vulnerability

From:	Stefan Esser <sesser_(at)_hardened-php.net>
Date:	3 ноября 2006 г.
Subject:	Advisory 12/2006: phpMyAdmin - error.php XSS Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                       Hardened-PHP Project
                       www.hardened-php.net

                     -= Security  Advisory =-


    Advisory: phpMyAdmin - error.php XSS Vulnerability
Release Date: 2006/11/02
Last Modified: 2006/11/02
      Author: Stefan Esser [sesser@hardened-php.net]

 Application: phpMyAdmin <= 2.9.0.2
    Severity: XSS vulnerability in an error displaying script
        Risk: Medium Critical
Vendor Status: Vendor has a released an updated version
  References: http://www.hardened-php.net/advisory_122006.137.html


Overview:

  Quote from http://www.phpmyadmin.net
  "phpMyAdmin is a tool written in PHP intended to handle the
  administration of MySQL over the Web. Currently it can create and
  drop databases, create/drop/alter tables, delete/edit/add fields,
  execute any SQL statement, manage keys on fields, manage privileges,
  export data into various formats and is available in 50 languages."

  It was discovered that phpMyAdmin comes with a script to display
  error messages that supports displaying the error in a user supplied
  charset. Unfortunately the encoding of the error message is not
  taking the charset into account which can result into XSS when UTF-7
  is selected. (Other charsets like US-ASCII can also be used to
  exploit this in some browsers.)
  
  To trigger this XSS vulnerability an attacker just needs to call
  the error displaying script with charset=utf-7 and utf-7 encoded
  HTML tags in the error message.
  

Proof of Concept:

  The Hardened-PHP Project is not going to release exploits for
  this vulnerability to the public.


Disclosure Timeline:

  18. October 2006    - Contacted phpMyAdmin developers by email
  01. November 2006   - Updated phpMyAdmin was released
  02. November 2006   - Public Disclosure


Recommendation:

  It is strongly recommended to upgrade to the newest version of
  phpMyAdmin 2.9.0.3 which you can download at:

  http://www.phpmyadmin.net/home_page/downloads.php
  

GPG-Key:

  http://www.hardened-php.net/hardened-php-signature-key.asc

  pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
  Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFSbPtRDkUzAqGSqERAkcTAJ49t9pfmuBAyvk0UcHuhZe/6cu48gCgp3ea
HoIvssTE/gfvQyAY3BcOhwQ=
=70mU
-----END PGP SIGNATURE-----