Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 15 Sep 2008 20:50:37 +0200
From: Thijs Kinkhorst <thijs@...ian.org>
To: oss-security@...ts.openwall.com
Cc: coley@...re.org
Subject: phpMyAdmin code execution (CVE request)

Hi all,

"- (2.11.9.1)  [security] Code execution vulnerability"

http://www.phpmyadmin.net/home_page/downloads.php?relnotes=1

"Welcome to this security update for phpMyAdmin 2.11.9.
Details will follow on http://phpmyadmin.net."

http://www.nabble.com/phpMyAdmin-2.11.9.1-is-released-td19497113.html

Attached patch is the fix from upstream. Judging from that (no other 
information is available yet), an authenticated user can supply a crafted 
sort_by parameter to server_databases.php, which will be turned in to 
executed PHP code because it is passed into create_function(). It is present 
at least since 2.9.1.

I would like to have a CVE id to refer to this issue.

Thijs

--- phpMyAdmin-2.11.9-all-languages-utf-8-only/libraries/database_interface.lib.php	2008-08-28 18:48:52.000000000 +0200
+++ phpMyAdmin-2.11.9.1-all-languages-utf-8-only/libraries/database_interface.lib.php	2008-09-15 18:38:06.000000000 +0200
@@ -188,6 +188,32 @@
 }
 
 /**
+ * usort comparison callback
+ *
+ * @param   string  $a first argument to sort 
+ * @param   string  $b second argument to sort 
+ *
+ * @return  integer  a value representing whether $a should be before $b in the
+ *                   sorted array or not
+ *
+ * @global  string   the column the array shall be sorted by
+ * @global  string   the sorting order ('ASC' or 'DESC')
+ *
+ * @access  private
+ */
+function PMA_usort_comparison_callback($a, $b)
+{
+    if ($GLOBALS['cfg']['NaturalOrder']) {
+        $sorter = 'strnatcasecmp';
+    } else {
+        $sorter = 'strcasecmp';
+    }
+    // produces f.e.:
+    // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"])
+    return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) * $sorter($a[$GLOBALS['callback_sort_by']], $b[$GLOBALS['callback_sort_by']]);
+} // end of the 'PMA_usort_comparison_callback()' function
+
+/**
  * returns array of all tables in given db or dbs
  * this function expects unquoted names:
  * RIGHT: my_database
@@ -399,7 +425,7 @@
  * @param   string      $databases      database
  * @param   boolean     $force_stats    retrieve stats also for MySQL < 5
  * @param   resource    $link           mysql link
- * @param   string      $sort_by        collumn to order by
+ * @param   string      $sort_by        column to order by
  * @param   string      $sort_order     ASC or DESC
  * @param   integer     $limit_offset   starting offset for LIMIT
  * @param   bool|int    $limit_count    row count for LIMIT or true for $GLOBALS['cfg']['MaxDbList']
@@ -543,23 +569,10 @@
      * (caused by older MySQL < 5 or $GLOBALS['cfg']['NaturalOrder'])
      */
     if ($apply_limit_and_order_manual) {
-
-        /**
-         * first apply ordering
-         */
-        if ($GLOBALS['cfg']['NaturalOrder']) {
-            $sorter = 'strnatcasecmp';
-        } else {
-            $sorter = 'strcasecmp';
-        }
-
-        // produces f.e.:
-        // return -1 * strnatcasecmp($a["SCHEMA_TABLES"], $b["SCHEMA_TABLES"])
-        $sort_function = '
-            return ' . ($sort_order == 'ASC' ? 1 : -1) . ' * ' . $sorter . '($a["' . $sort_by . '"], $b["' . $sort_by . '"]);
-        ';
-
-        usort($databases, create_function('$a, $b', $sort_function));
+        $GLOBALS['callback_sort_order'] = $sort_order;
+        $GLOBALS['callback_sort_by'] = $sort_by;
+        usort($databases, 'PMA_usort_comparison_callback');
+        unset($GLOBALS['callback_sort_order'], $GLOBALS['callback_sort_by']);
 
         /**
          * now apply limit


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ