Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 467080 (CVE-2013-3238)

Summary: <dev-db/phpmyadmin-4.0.5: new set of XSS (CVE-2013-{3238,3239})
Product: Gentoo Security Reporter: ChaosEngine <andrzej.pauli>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: a3li, andrzej.pauli, web-apps
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.5.8.1/phpMyAdmin-3.5.8.1-notes.html/view
Whiteboard: B4 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 479870    
Bug Blocks:    

Description ChaosEngine 2013-04-24 15:47:29 UTC
Upstream phpmyadmin has two new XSS vulnerabilities. These are patched in version 3.5.8.1.

Reproducible: Didn't try




Welcome to phpMyAdmin 3.5.8.1, a security release.

3.5.8.1 (2013-04-24)
- [security] Remote code execution (preg_replace), reported by Janek Vind
  (see PMASA-2013-2)
- [security] Locally Saved SQL Dump File Multiple File Extension Remote Code
  Execution, reported by Janek Vind (see PMASA-2013-3)
Comment 1 ChaosEngine 2013-04-24 15:59:03 UTC
Commits for the branch:
https://github.com/phpmyadmin/phpmyadmin/commits/RELEASE_3_5_8_1
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 12:24:54 UTC
CVE-2013-3239 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3239):
  phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir
  directory is configured, allows remote authenticated users to execute
  arbitrary code by using a double extension in the filename of an export
  file, leading to interpretation of this file as an executable file by the
  Apache HTTP Server, as demonstrated by a .php.sql filename.

CVE-2013-3238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3238):
  phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote
  authenticated users to execute arbitrary code via a /e\x00 sequence, which
  is not properly handled before making a preg_replace function call within
  the "Replace table prefix" feature.
Comment 3 Sean Amoss gentoo-dev Security 2013-05-09 14:02:27 UTC
Bug 468516 is not a blocker: this can be fixed with 3.5.8.1.
Comment 4 Sergey Popov gentoo-dev 2013-08-24 19:42:09 UTC
GLSA vote: yes
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-24 20:09:22 UTC
GLSA with 479870, 478696, 465420
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-11-04 11:57:08 UTC
This issue was resolved and addressed in
 GLSA 201311-02 at http://security.gentoo.org/glsa/glsa-201311-02.xml
by GLSA coordinator Sergey Popov (pinkbyte).