Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 389427 (CVE-2011-4107) - <dev-db/phpmyadmin-3.4.9 XML Entity References Information Disclosure Vulnerability (CVE-2011-{4107,4634})
Summary: <dev-db/phpmyadmin-3.4.9 XML Entity References Information Disclosure Vulnera...
Status: RESOLVED FIXED
Alias: CVE-2011-4107
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/46447/
Whiteboard: B4 [glsa]
Keywords:
Depends on: CVE-2011-4782
Blocks:
  Show dependency tree
 
Reported: 2011-11-03 18:08 UTC by Agostino Sarubbo
Modified: 2012-01-04 23:42 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-11-03 18:08:44 UTC
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to an error within libraries/import/xml.php when processing XML data, which can be exploited to e.g. disclose contents of certain local files and perform certain actions on the local network by sending specially crafted XML data including external entity references.

The vulnerability is confirmed in version 3.4.7. Other versions may also be affected.

Solution:
Not patched atm. (Restrict access to trusted users only)
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2011-11-18 06:15:56 UTC
CVE-2011-4107 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4107):
  The simplexml_load_string function in the XML import plug-in
  (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x
  before 3.3.10.5 allows remote authenticated users to read arbitrary files
  via XML data containing external entity references, aka an XML external
  entity (XXE) injection attack.
Comment 2 Sean Amoss gentoo-dev Security 2011-12-14 21:26:38 UTC
Also CVE-2011-4634 which is described in PMASA-2011-18 (http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php). Issue was corrected in 3.4.8, released 2011-12-01.
Comment 3 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2011-12-23 21:33:07 UTC
Bump and fixing together with bug 395715
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-01-01 17:53:13 UTC
Stabilization completed in bug 395715. GLSA Vote: no.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2012-01-02 19:01:50 UTC
CVE-2011-4634 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4634):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x
  before 3.4.8 allow remote attackers to inject arbitrary web script or HTML
  via (1) a crafted database name, related to the Database Synchronize panel;
  (2) a crafted database name, related to the Database rename panel; (3) a
  crafted SQL query, related to the table overview panel; (4) a crafted SQL
  query, related to the view creation dialog; (5) a crafted column type,
  related to the table search dialog; or (6) a crafted column type, related to
  the create index dialog.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-01-04 23:42:24 UTC
This issue was resolved and addressed in
 GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml
by GLSA coordinator Tim Sammut (underling).