- Threat Summary
- Alert Logic Coverage
- Recommendations for Mitigation
phpMyAdmin is a remote web server administration tool which is vulnerable to a response splitting attack, CVE-2006-6374. This can allow an attacker to send a request with malicious characters in the first instance and use the response from the server to construct further attacks, such as Cross-site scripting.
- The attacker sends a crafted HTTP POST Request containing malicious CRLF characters, followed by further malicious strings utilized upon exploitation.
- A successful attack causes a 200 Response, whereby the malicious action is completed and evidenced in the response.
- Further malicious leveraging of the vulnerability can occur, which at reasonable worst could include Cross-site scripting (XSS) or Redirect attacks, potentially leading to multiple user or full-site compromise.
phpMyAdmin up to 2.7.0-pl2 must be installed, with the auth_type parameter for the relevant server set to ‘cookie’ within the default configuration file at /path/to/phpMyAdmin/config.inc.php. This enables cookie functionality during site interaction. The Apache/MySQL/PHP4 stack must relatively match the age of the phpMyAdmin version. Security updates to the given stack (notably in PHP for PHP >= 4.4.2 and >= 5.1.2) will prevent exploitation of this vulnerability regardless of the phpMyAdmin version deployed.
A lack of input validation allows for attackers to send a crafted HTTP Request embedding CRLF (as urlencode-format %0d%0a) characters within a Cookie object. This request is parsed by phpMyAdmin and causes a Response split, effectively enabling the malicious user to specify or action any trailing objects, such as HTTP Header values which are then sent back and interpreted by a client.
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.
Upon discovery of a successful exploit, customers are expected to take normal reasonable action in accordance with their own standard operating procedures, such as:
- Isolate the compromised server instance from the network if it is safe to do so
- Identify any other servers which may also have outdated versions of phpMyAdmin
- Patch the vulnerability from a trusted source or update phpMyAdmin appropriately
- Remove any rogue user accounts, revert any website or system changes and replace data from backups if required
- Test the configuration
- Return the server instance to full operation