Skip to content ↓ | Skip to navigation ↓

Recently, while fuzz testing phpMyAdmin – a popular web application developed in PHP used to manage and administer MySQL databases, I found a Cross-Site Scripting (XSS) vulnerability.

This vulnerability was assigned CVE-2014-1879 by MITRE. The phpMyAdmin security advisory for this vulnerability can be found here.

This particular vulnerability existed within the application’s “Import” function and was due to improper input sanitization of the filename for a file being imported. For example, script could be added to the filename and because of a lack of input sanitization/validation, the script contained within the file’s name would execute within the context of the phpMyAdmin web application.

The fix was quite simple. The actual diff of the fixed code is located at phpMyAdmin’s github.Two lines of code were modified:

Vulnerable Code: $message->addString(‘(‘ . $local_import_file . ‘)’);
Fixed Code: $message->addString(‘(‘ . htmlspecialchars($local_import_file) . ‘)’);

Vulnerable Code: $message->addString(‘(‘ . $_FILES[‘import_file’][‘name’] . ‘)’);
Fixed Code: $message->addString(‘(‘ . htmlspecialchars($_FILES[‘import_file’][‘name’]) . ‘)’);

Particularly, the “input” to the vulnerable code was being read and processed without sanitization. The input in this case was a filename as stored on disk. The fix was to simply process this input text using the PHP function ‘htmlspecialchars()’. The htmlspecialchars() function converts various special characters to HTML entities, and the final transformation allows the user’s browser to represent the script appropriately as rendered HTML instead of as executed script.

In most cases, input sanitization is trivial, i.e., as shown above with a simple call to a sanitization function. So, when you are developing web applications keep this in mind: all inputs are guilty until proven innocent – wrap those inputs with appropriate sanitization techniques.

 

Related Articles:

 

Resources:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.

 

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

 

Title image courtesy of ShutterStock