In this week’s digest, we will discuss:
- an XSS vulnerability in phpMyAdmin drag-and-drop upload;
- a buffer overflow vulnerability in the ClamAV scanning library; and
- an HTTP content smuggling bug in HAProxy.
XSS vulnerability in phpMyAdmin drag-and-drop upload
An anonymous user discovered a Cross-Site Scripting (XSS) vulnerability in the upload functionality of phpMyAdmin. This vulnerability allows an authenticated user to trigger XSS by uploading a maliciously crafted .sql file in the drag-and-drop interface of phpMyAdmin.
The drag-and-drop upload XSS vulnerability impacts phpMyAdmin users who have installed versions before 4.9.11 and 5.x before 5.2.1. phpMyAdmin has released versions 4.9.11 and 5.2.1 to remediate this vulnerability. However, as a mitigation factor, users can disable the configuration directive $cfg[‘enable_drag_drop_import’], which disables the drag-and-drop functionality and protects users against the vulnerability.
The drag-and-drop upload XSS vulnerability—registered as CVE-2023-25727—was rated 5.4 medium in the CVSS scoring by NIST due to the low impact to confidentiality and integrity. A successful attack can perform privilege escalation by bypassing kernel credential permission checks.
ClamAV HFS+ partition scanning buffer overflow vulnerability
On February 15, 2023, a vulnerability in the ClamAV scanning library was disclosed. The HFS+ partition file parser of ClamAV versions 1.0.0 and earlier, 0.105.1 and earlier, and 0.103.7 and earlier have a security vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on a target system.
The vulnerability is from a missing buffer size check in the HFS+ partition file parser, which could result in a heap buffer overflow write. When a user submits a crafted HFS+ partition file to be scanned by ClamAV on an affected device, the engine could attempt to read and process the file, triggering the vulnerability. An attacker can take advantage of this vulnerability by sending a specially crafted HFS+ partition file to a vulnerable system.
Once the file is scanned by ClamAV, the engine attempts to process the file, which can lead to the execution of arbitrary code by the attacker. This could result in the attacker gaining unauthorized access to the system, stealing sensitive data, or installing malware. Furthermore, the attacker can also cause the ClamAV scanning process to crash, resulting in a denial-of-service (DoS) condition, which could disrupt the normal operations of the target system.
ClamAV software has released ClamAV 0.103.8, 0.105.2, and 1.0.1, which should include patches for the vulnerability.
The vulnerability has been registered as CVE-2023-20032 and was rated 9.8 critical in the CVSS scoring by Cisco due to the high impact to confidentiality, integrity, and availability.
HTTP content smuggling bug in HAProxy
A security research team from Northeastern, Akamai Technologies, and Google have discovered a bug in HAProxy headers processing; when exploited, the bug can allow an HTTP content smuggling attack. The maintainer of HAProxy, Willy Tarreau, reported this vulnerability. HAProxy is an open source load balancer and reverse proxy tool for HTTP and TCP applications.
The vulnerability was found in the header processing of HAProxy. It gets exploited by a maliciously crafted HTTP request that could trigger the dropping of important header fields after parsing. This could create extra requests to the server and let subsequent requests bypass HAProxy filters, giving an attacker access to restricted content, the ability to bypass URL authentication, or other malicious purposes.
Tarreau confirmed that almost all HAProxy versions were affected by the vulnerability, including HTX-aware versions 2.0 and above and non-HTX versions 1.9 and before or version 2.0 in legacy mode.
After confirming the vulnerability, Tarreau released a fix across all HAProxy versions, including 2.8-dev4, 2.7.3, 2.6.9, 2.5.12, 2.4.12, 2.2.29, and 2.0.31. Tarreau recommends that HAProxy users upgrade to the patched version of their relevant branch as the best practice to stay protected. If immediate upgrades are not possible, Tarreau has shared a workaround that rejects requests attempting to trigger the bug with a 403 error. However, this workaround does not guarantee full mitigation; therefore, upgrading to a patched version is ultimately recommended.
This vulnerability has been registered as CVE-2023-25725 and was rated 9.1 critical in the CVSS scoring by NIST due to the high impact to integrity and availability.