Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 467080 (CVE-2013-3238) - <dev-db/phpmyadmin-4.0.5: new set of XSS (CVE-2013-{3238,3239})
Summary: <dev-db/phpmyadmin-4.0.5: new set of XSS (CVE-2013-{3238,3239})
Status: RESOLVED FIXED
Alias: CVE-2013-3238
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://sourceforge.net/projects/phpm...
Whiteboard: B4 [glsa]
Keywords:
Depends on: CVE-2013-5029
Blocks:
  Show dependency tree
 
Reported: 2013-04-24 15:47 UTC by ChaosEngine
Modified: 2013-11-04 11:57 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ChaosEngine 2013-04-24 15:47:29 UTC
Upstream phpmyadmin has two new XSS vulnerabilities. These are patched in version 3.5.8.1.

Reproducible: Didn't try




Welcome to phpMyAdmin 3.5.8.1, a security release.

3.5.8.1 (2013-04-24)
- [security] Remote code execution (preg_replace), reported by Janek Vind
  (see PMASA-2013-2)
- [security] Locally Saved SQL Dump File Multiple File Extension Remote Code
  Execution, reported by Janek Vind (see PMASA-2013-3)
Comment 1 ChaosEngine 2013-04-24 15:59:03 UTC
Commits for the branch:
https://github.com/phpmyadmin/phpmyadmin/commits/RELEASE_3_5_8_1
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2013-05-09 12:24:54 UTC
CVE-2013-3239 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3239):
  phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir
  directory is configured, allows remote authenticated users to execute
  arbitrary code by using a double extension in the filename of an export
  file, leading to interpretation of this file as an executable file by the
  Apache HTTP Server, as demonstrated by a .php.sql filename.

CVE-2013-3238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3238):
  phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote
  authenticated users to execute arbitrary code via a /e\x00 sequence, which
  is not properly handled before making a preg_replace function call within
  the "Replace table prefix" feature.
Comment 3 Sean Amoss gentoo-dev Security 2013-05-09 14:02:27 UTC
Bug 468516 is not a blocker: this can be fixed with 3.5.8.1.
Comment 4 Sergey Popov gentoo-dev 2013-08-24 19:42:09 UTC
GLSA vote: yes
Comment 5 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-08-24 20:09:22 UTC
GLSA with 479870, 478696, 465420
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2013-11-04 11:57:08 UTC
This issue was resolved and addressed in
 GLSA 201311-02 at http://security.gentoo.org/glsa/glsa-201311-02.xml
by GLSA coordinator Sergey Popov (pinkbyte).