Cloud Híbrida
Ciberseguridad & NaaS
AI & Data
IoT y Conectividad
Business Applications
Intelligent Workplace
Consultoría y Servicios Profesionales
Pequeña y Mediana Empresa
Sanidad y Social
Industria
Retail
Turismo y Ocio
Transporte y Logística
Energía y Utilities
PhpMyAdmin fixes a XSS detected by ElevenPaths (CVE-2014-9219)
4 de diciembre de 2014
On November 28th, while our
Faast team was developing an intrusion module for
PhpMyAdmin MySQL manager, we detected a new cross site scripting vulnerability not known so far in this popular program. It has been privately reported to the team responsible for PhpMyAdmin security and the
CVE-2014-9219 has been assigned. It affected all known versions.
Vulnerability and fix announce
PhpMyAdmin security team has reacted promptly and in just three days they have fixed the problem and released a new version. The vulnerability (currently exploitable in any version previous to 4.2.13.1) relies in a bad filtering in the "url.php" file. The function htmlspecialchars was being incorrectly used.
The div below shows the applied patch where htmlspecialchars function is replaced by PMA_escapeJsString.
Commit
9b2479b7216dd91a6cc2f231c0fd6b85d457f6e2 with the fixing line
Just filtering HTML special characters, its exploitation was trivial. Besides, i t was possible to bypass anti-XSS protections in browsers, because the injected code was reflexed into a "script" tag. This kind of vulnerabilities are very common in web applications, and allow different attacks, as obtaining session cookies, as shown in the div below.
Exploiting the vulnerability
If you are using PhpMyAdmin, it is recommended to update as soon as possible to latest version (4.2.13.1) or applying the patch available here. Besides, we recommend using Faast that, of course, already detects this vulnerability.
Finally, remember we have a Latch plugin for PhpMyAdmin. All the information about how to install it, is here.
Vulnerability and fix announce
PhpMyAdmin security team has reacted promptly and in just three days they have fixed the problem and released a new version. The vulnerability (currently exploitable in any version previous to 4.2.13.1) relies in a bad filtering in the "url.php" file. The function htmlspecialchars was being incorrectly used.
The div below shows the applied patch where htmlspecialchars function is replaced by PMA_escapeJsString.
Commit
9b2479b7216dd91a6cc2f231c0fd6b85d457f6e2 with the fixing line
Just filtering HTML special characters, its exploitation was trivial. Besides, i t was possible to bypass anti-XSS protections in browsers, because the injected code was reflexed into a "script" tag. This kind of vulnerabilities are very common in web applications, and allow different attacks, as obtaining session cookies, as shown in the div below.
Exploiting the vulnerability
If you are using PhpMyAdmin, it is recommended to update as soon as possible to latest version (4.2.13.1) or applying the patch available here. Besides, we recommend using Faast that, of course, already detects this vulnerability.
Finally, remember we have a Latch plugin for PhpMyAdmin. All the information about how to install it, is here.
Manuel Fernández
manuel.fernandez@11paths.com
