Follow

06/19/17: phpMyAdmin Core CRLF/HTTP Response Splitting | Security Bulletin

In This Article

Threat Summary

Overview

phpMyAdmin is a remote web server administration tool which is vulnerable to a response splitting attack, CVE-2006-6374. This can allow an attacker to send a request with malicious characters in the first instance and use the response from the server to construct further attacks, such as Cross-site scripting.

Exploitation

Stages

  1. The attacker sends a crafted HTTP POST Request containing malicious CRLF characters, followed by further malicious strings utilized upon exploitation.
  2. A successful attack causes a 200 Response, whereby the malicious action is completed and evidenced in the response.
  3. Further malicious leveraging of the vulnerability can occur, which at reasonable worst could include Cross-site scripting (XSS) or Redirect attacks, potentially leading to multiple user or full-site compromise.

Prerequisites

phpMyAdmin up to 2.7.0-pl2 must be installed, with the auth_type parameter for the relevant server set to ‘cookie’ within the default configuration file at /path/to/phpMyAdmin/config.inc.php. This enables cookie functionality during site interaction. The Apache/MySQL/PHP4 stack must relatively match the age of the phpMyAdmin version. Security updates to the given stack (notably in PHP for PHP >= 4.4.2 and >= 5.1.2) will prevent exploitation of this vulnerability regardless of the phpMyAdmin version deployed.

Vulnerability Description

A lack of input validation allows for attackers to send a crafted HTTP Request embedding CRLF (as urlencode-format %0d%0a) characters within a Cookie object. This request is parsed by phpMyAdmin and causes a Response split, effectively enabling the malicious user to specify or action any trailing objects, such as HTTP Header values which are then sent back and interpreted by a client.

Back to top

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Back to top

Recommendations for Mitigation

Upon discovery of a successful exploit, customers are expected to take normal reasonable action in accordance with their own standard operating procedures, such as:

  • Isolate the compromised server instance from the network if it is safe to do so
  • Identify any other servers which may also have outdated versions of phpMyAdmin
  • Patch the vulnerability from a trusted source or update phpMyAdmin appropriately
  • Remove any rogue user accounts, revert any website or system changes and replace data from backups if required
  • Test the configuration
  • Return the server instance to full operation

 Back to top

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.