Bug 130226 (CVE-2005-3299)

We received the following report via full-disclosure.
The issue is public.

Date: Sat, 22 Oct 2005 15:33:46 +0200
From: Stefan Esser <sesser@hardened-php.net>
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Cc: 
Subject: [Full-disclosure] Advisory 16/2005: phpMyAdmin Local File Inclusion
	Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                        Hardened-PHP Project
                        www.hardened-php.net

                      -= Security  Advisory =-



     Advisory: phpMyAdmin Local File Inclusion Vulnerability
 Release Date: 2005/10/22
Last Modified: 2005/10/22
       Author: Stefan Esser [sesser@hardened-php.net]

  Application: phpMyAdmin <= 2.6.4-pl2
     Severity: A design flaw within phpMyAdmin allows inclusion
               of arbitrary files, which usually leads to remote
    	       code execution
         Risk: Critical
Vendor Status: Vendor has released an updated version
   References: http://www.hardened-php.net/advisory_162005.73.html


Overview:

   Quote from www.phpmyadmin.net:
   "phpMyAdmin is a tool written in PHP intended to handle the 
   administration of MySQL over the Web. Currently it can create 
   and drop databases, create/drop/alter tables, delete/edit/add 
   fields, execute any SQL statement, manage keys on fields, manage 
   privileges,export data into various formats and is available 
   in 50 languages."
   
   And audit of phpMyAdmin revealed a design flaw in the way 
   phpMyAdmin includes it's register_globals compatibility layer,
   that allows inclusion of arbitrary local files, which usually
   leads to remote code execution.
   
   *** NOTE: This vulnerability is not exploitable if you are 
             running PHP with our Hardening-Patch applied


Details:

   phpMyAdmin comes with a register_globals emulation layer within
   grab_globals.php, to ensure compatibility with hosts where this 
   feature is turned off. This file is usually included at the very
   beginning, so that globalizing the request variables does not
   overwrite already used script variables. When the _GET and _POST
   variables are extracted it is even ensured, that certain names
   cannot be overwritten. This safety checks are not in effect, when 
   the _FILES array, which holds information about uploaded files, 
   is merged into the global namespace. 
   
   Unfortunately phpMyAdmin comes with a few files that were not meant
   to be called directly and that do not include grab_globals.php but 
   common.lib.php in the beginning. This results f.e. in the following
   include tree:
   
      - db_details_db_info.php
      \___ libraries/common.lib.php
           \___ libraries/select_lang.lib.php
	   \   \___ libraries/grab_globals.php
	   \   \___ lang/a-language.inc.php
	   \___ ...       
	       
   From this one can see, that grab_globals.php will be included by
   select_lang.lib.php, if it is not included in the very beginning.
   This has the bad side effect, that the globalisation of the request
   variables is executed *after* common.lib.php has loaded the $cfg
   configuration array. In combination with the fact, that the _FILES
   array is not protected against keys with the name 'cfg', it is
   possible to overwrite the content of the configuration array in
   a way, that empties the content of the $cfg['ThemePath'] variable.
   This variable contains the path to a directory, that contains the
   supported themes. With the same overwrite it is possible to fill
   the variable $cfg['ThemeManager'] with a value, which evaluates to
   true.
   
   The idea behind this overwrite is to exploit an include statement
   which tries to verify the existance of a theme, selected through
   f.e. a supplied cookie variable:
   
   @include($cfg['ThemePath'].'/'.$GLOBALS['theme'].'/info.inc.php');
   
   Due to the fact, that $cgf['ThemePath'] is empty and the global
   variable theme is filled with the content of a user supplied 
   cookie, it is possible to use either a %00 or a realpath() 
   truncation attack on the include filename to include any file,
   that can be accessed by the webserver.
   
   At this point a few things have to be noted:
   
      1) When reading the theme name from the cookie directory the 
         value is sanitizied against directory traversal attacks
	 by removing .. from the filename. However the attack
	 described here results in an absolute filepath beeing
	 included, therefore any protection against directory
	 traversal attacks is worthless.
	 
      2) A %00 filename truncation attack will only work if
         magic_quotes_gpc is turned off, which is however the
	 recommended setting. A realpath() truncation attack on
	 the other hand will only work agains malfunctional
	 realpath() implementation, which can be found in f.e.
	 older OpenBSD versions.
	 
      3) This vulnerability *cannot* be exploited, when your server
         uses our PHP Hardening-Patch, because it has a build in
	 protection against such include-filename truncation
	 attacks.
	 

Proof of Concept:

   The Hardened-PHP project is not going to release exploits for 
   this vulnerability to the public.


Disclosure Timeline:

   15. October 2005 - Contacted phpMyAdmin developers by email
   21. October 2005 - Vendor notifies me about planned release
   22. October 2005 - Release of new phpMyAdmin version
   22. October 2005 - Public Disclosure


Recommendation:

   It is strongly recommended to upgrade to the new version of
   phpMyAdmin which you can download at:

   http://www.phpmyadmin.net/home_page/downloads.php


GPG-Key:

   http://www.hardened-php.net/hardened-php-signature-key.asc

   pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1


Copyright 2005 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQFDWki0RDkUzAqGSqERAn2tAJ9obBXrgmTnYhuE9/jfxddfHbCrhwCggf8T
11j2W1NBEeiMg7IIgCmVjxg=
=VqEK
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/