Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Mon, 15 Sep 2008 20:50:37 +0200
From: Thijs Kinkhorst <thijs@...ian.org>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: phpMyAdmin code execution (CVE request)

Hi all,

"- (2.11.9.1)  [security] Code execution vulnerability"

http://www.phpmyadmin.net/home_page/downloads.php?relnotes=1

"Welcome to this security update for phpMyAdmin 2.11.9.
Details will follow on http://phpmyadmin.net."

http://www.nabble.com/phpMyAdmin-2.11.9.1-is-released-td19497113.html

Attached patch is the fix from upstream. Judging from that (no other 
information is available yet), an authenticated user can supply a crafted 
sort_by parameter to server_databases.php, which will be turned in to 
executed PHP code because it is passed into create_function(). It is present 
at least since 2.9.1.

I would like to have a CVE id to refer to this issue.

Thijs

--- phpMyAdmin-2.11.9-all-languages-utf-8-only/libraries/database_interface.lib.php	2008-08-28 18:48:52.000000000 +0200
+++ phpMyAdmin-2.11.9.1-all-languages-utf-8-only/libraries/database_interface.lib.php	2008-09-15 18:38:06.000000000 +0200
@@ -188,6 +188,32 @@
 }
 
 /**
+ * usort comparison callback
+ *
+ * @param   string  $a first argument to sort 
+ * @param   string  $b second argument to sort 
+ *
+ * @return  integer  a value representing whether $a should be before $b in the
+ *                   sorted array or not
+ *
+ * @global  string   the column the array shall be sorted by
+ * @global  string   the sorting order ('ASC' or 'DESC')
+ *
+ * @access  private
+ */
+function PMA_usort_comparison_callback($a, $b)
+{
+    if ($GLOBALS['cfg']['NaturalOrder']) {
+        $sorter = 'strnatcasecmp';
+    } else {
+        $sorter = 'strcasecmp';
+    }
+    // produces f.e.:
+    // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"])
+    return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]);
+} // end of the 'PMA_usort_comparison_callback()' function
+
+/**
  * returns array of all tables in given db or dbs
  * this function expects unquoted names:
  * RIGHT: my_database
@@ -399,7 +425,7 @@
  * @param   string      $databases      database
  * @param   boolean     $force_stats    retrieve stats also for MySQL < 5
  * @param   resource    $link           mysql link
- * @param   string      $sort_by        collumn to order by
+ * @param   string      $sort_by        column to order by
  * @param   string      $sort_order     ASC or DESC
  * @param   integer     $limit_offset   starting offset for LIMIT
  * @param   bool|int    $limit_count    row count for LIMIT or true for $GLOBALS['cfg']['MaxDbList']
@@ -543,23 +569,10 @@
      * (caused by older MySQL < 5 or $GLOBALS['cfg']['NaturalOrder'])
      */
     if ($apply_limit_and_order_manual) {
-
-        /**
-         * first apply ordering
-         */
-        if ($GLOBALS['cfg']['NaturalOrder']) {
-            $sorter = 'strnatcasecmp';
-        } else {
-            $sorter = 'strcasecmp';
-        }
-
-        // produces f.e.:
-        // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"])
-        $sort_function = '
-            return ' . ($sort_order == 'ASC' ? 1 : -1) . ' * ' . $sorter . '($a["' . $sort_by . '"], $b["' . $sort_by . '"]);
-        ';
-
-        usort($databases, create_function('$a, $b', $sort_function));
+        $GLOBALS['callback_sort_order'] = $sort_order;
+        $GLOBALS['callback_sort_by'] = $sort_by;
+        usort($databases, 'PMA_usort_comparison_callback');
+        unset($GLOBALS['callback_sort_order'], $GLOBALS['callback_sort_by']);
 
         /**
          * now apply limit


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ