===================================================================== CERT-Renater Note d'Information No. 2006/VULN508 _____________________________________________________________________ DATE : 04/10/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Systems running phpMyAdmin versions prior to 2.9.0. ====================================================================== Hardened-PHP Project www.hardened-php.net -= Security Advisory =- Advisory: phpMyAdmin Multiple CSRF Vulnerabilities Release Date: 2006/10/01 Last Modified: 2006/10/01 Author: Stefan Esser [sesser@hardened-php.net] Application: phpMyAdmin <= 2.9.0 Severity: Multiple vulnerabilities within phpMyAdmin allow bypassing it's protection against CSRF Risk: Medium Critical Vendor Status: Vendor has a released an updated version References: http://www.hardened-php.net/advisory_072006.130.html Overview: Quote from http://www.phpmyadmin.net "phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the Web. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields, manage privileges, export data into various formats and is available in 50 languages." During an audit of phpMyAdmin's protection against CSRF: Cross Site Request Forgeries we discovered that there were multiple ways to bypass the protection. The failure of phpMyAdmin's CSRF protection obviously means that a potential attacker can use CSRF attacks to trick the browser of a phpMyAdmin user to execute any kind of SQL queries on the victims database server. Details: phpMyAdmin uses a random token that is stored within the user's session to protect against Cross Site Request Forgeries. CSRF basically means that a website tricks the browser of a visiting user into issuing HTTP requests against another site that does ensure, that the request was intended. In case of phpMyAdmin a CSRF vulnerability obviously means that another site could trick the browser of a phpMyAdmin user into issuing arbitrary SQL queries against his database. In phpMyAdmin the CSRF protection works like this 1) Start PHP's Session Handling 2) Is there already a token assigned to the session? -> No: create a random token 3) Is supplied token equal to session token? -> No: unset() all request variables not in white-list While this design could actually work the implementation in phpMyAdmin was vulnerable to multiple attacks because before and during the 3 steps mentioned several modifications to the request variable arrays are made and these variables get globalised. (This is done within the PHP code and has nothing to do with register_globals) The attacks we found attack different phases of the CSRF protection. The following is an overview of the vulnerabilities within the 3 phases. For each phase several different attacks are possible. Several of the attacks require GPC variables with names that are equal to PHP's superglobals, therefore these attacks are automatically stopped by our Suhosin extension. [-- Token Verification --] The token verification could be tricked because there existed several flaws in the globalisation routine that allowed destroying the content of the session variables. Additionally the special handling of session variables during while register_globals is activated allowed directly setting the session token from within the URL. Obviously it is very easy to "guess" the required token when the token is empty or is set to a value of his choice. [-- Determine which variables to unset --] The _REQUEST array was used to determine which variables should be unset() but phpMyAdmin contained intended and unintended ways that allowed overwriting the content of the _REQUEST array. In the new version all GPC arrays are used for this process and the unintended way to destroy superglobal arrays within the globalisation was closed. [-- Unset variables --] Unset() is a dangerous function because older PHP versions (that are still installed on most servers) contained vulnerabilities that allowed bypassing it. For further information take a look at: http://www.hardened-php.net/critical_php_vulnerability_explained.124.html Proof of Concept: The Hardened-PHP Project is not going to release exploits for this vulnerability to the public. Disclosure Timeline: 23. September 2006 - Contacted phpMyAdmin developers by email 01. October 2006 - Updated phpMyAdmin was released 01. October 2006 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the newest version of phpMyAdmin 2.9.0.1 which you can download at: http://www.phpmyadmin.net/home_page/downloads.php As usual we very strongly recommend to install our Suhosin PHP extension. It disallows request variables with the same name as PHP superglobal arrays. This stops several of the attacks described in this advisory. Grab your copy and more information at: http://www.hardened-php.net/suhosin/index.html GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2006 Stefan Esser. All rights reserved. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================