Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0730 -- [Win][UNIX/Linux]
phpMyAdmin Multiple CSRF Vulnerabilities
4 October 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: phpMyAdmin
Publisher: Hardened-PHP Project
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact: Inappropriate Access
Access: Remote/Unauthenticated
Original Bulletin: http://www.hardened-php.net/advisory_072006.130.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hardened-PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: phpMyAdmin Multiple CSRF Vulnerabilities
Release Date: 2006/10/01
Last Modified: 2006/10/01
Author: Stefan Esser [sesser@hardened-php.net]
Application: phpMyAdmin <= 2.9.0
Severity: Multiple vulnerabilities within phpMyAdmin allow
bypassing it's protection against CSRF
Risk: Medium Critical
Vendor Status: Vendor has a released an updated version
References: http://www.hardened-php.net/advisory_072006.130.html
Overview:
Quote from http://www.phpmyadmin.net
"phpMyAdmin is a tool written in PHP intended to handle the
administration of MySQL over the Web. Currently it can create and
drop databases, create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields, manage privileges,
export data into various formats and is available in 50 languages."
During an audit of phpMyAdmin's protection against CSRF: Cross Site
Request Forgeries we discovered that there were multiple ways to
bypass the protection.
The failure of phpMyAdmin's CSRF protection obviously means that a
potential attacker can use CSRF attacks to trick the browser of a
phpMyAdmin user to execute any kind of SQL queries on the victims
database server.
Details:
phpMyAdmin uses a random token that is stored within the user's
session to protect against Cross Site Request Forgeries. CSRF
basically means that a website tricks the browser of a visiting
user into issuing HTTP requests against another site that does
ensure, that the request was intended.
In case of phpMyAdmin a CSRF vulnerability obviously means that
another site could trick the browser of a phpMyAdmin user into
issuing arbitrary SQL queries against his database.
In phpMyAdmin the CSRF protection works like this
1) Start PHP's Session Handling
2) Is there already a token assigned to the session?
-> No: create a random token
3) Is supplied token equal to session token?
-> No: unset() all request variables not in white-list
While this design could actually work the implementation in
phpMyAdmin was vulnerable to multiple attacks because before
and during the 3 steps mentioned several modifications to the
request variable arrays are made and these variables get
globalised. (This is done within the PHP code and has nothing
to do with register_globals)
The attacks we found attack different phases of the CSRF
protection. The following is an overview of the vulnerabilities
within the 3 phases. For each phase several different attacks
are possible. Several of the attacks require GPC variables
with names that are equal to PHP's superglobals, therefore
these attacks are automatically stopped by our Suhosin extension.
[-- Token Verification --]
The token verification could be tricked because there existed
several flaws in the globalisation routine that allowed
destroying the content of the session variables. Additionally
the special handling of session variables during while
register_globals is activated allowed directly setting the
session token from within the URL.
Obviously it is very easy to "guess" the required token when
the token is empty or is set to a value of his choice.
[-- Determine which variables to unset --]
The _REQUEST array was used to determine which variables should
be unset() but phpMyAdmin contained intended and unintended ways
that allowed overwriting the content of the _REQUEST array.
In the new version all GPC arrays are used for this process and
the unintended way to destroy superglobal arrays within the
globalisation was closed.
[-- Unset variables --]
Unset() is a dangerous function because older PHP versions
(that are still installed on most servers) contained
vulnerabilities that allowed bypassing it.
For further information take a look at:
http://www.hardened-php.net/critical_php_vulnerability_explained.124.html
Proof of Concept:
The Hardened-PHP Project is not going to release exploits for
this vulnerability to the public.
Disclosure Timeline:
23. September 2006 - Contacted phpMyAdmin developers by email
01. October 2006 - Updated phpMyAdmin was released
01. October 2006 - Public Disclosure
Recommendation:
It is strongly recommended to upgrade to the newest version of
phpMyAdmin 2.9.0.1 which you can download at:
http://www.phpmyadmin.net/home_page/downloads.php
As usual we very strongly recommend to install our Suhosin PHP
extension. It disallows request variables with the same name
as PHP superglobal arrays. This stops several of the attacks
described in this advisory.
Grab your copy and more information at:
http://www.hardened-php.net/suhosin/index.html
GPG-Key:
http://www.hardened-php.net/hardened-php-signature-key.asc
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1
Copyright 2006 Stefan Esser. All rights reserved.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFFIA0sRDkUzAqGSqERAkvZAKDUgtJio2X8pXqW82tGrBVDTZ7giwCfV00p
9VZ7BjLg4UkiO7WC8RohqOo=
=+flk
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRSM7Fih9+71yA2DNAQKvOgP/YUBcAhbYovUlOjTC+CFi446FEbu8gZ4P
qGuc9Vvc3Hkx5CEtk5ozbVWM6wsUZ5Kq2F0aDLOju+qNrdPK6hA1V42NXtlpOXMI
JmsaWLwKMjFvJyLohmnHQOkHOjrjBjX/i3K7GjzO2wFBRaXOldYw71BYLlxwS6AR
DyBQjMvl16E=
=YEWD
-----END PGP SIGNATURE-----