phpmyadmin: Local File Inclusion via XXE-injection (CVE-2011-4107)

Debian Bug report logs - #656247
phpmyadmin: Local File Inclusion via XXE-injection (CVE-2011-4107)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: phpmyadmin: Local File Inclusion via XXE-injection (CVE-2011-4107)

Date: Tue, 17 Jan 2012 21:11:38 +0200

Package: phpmyadmin
Version: 4:3.3.7-6
Severity: normal

Vulnerability in phpmyadmin in squeeze has been exploited wildly in public. Spion from #debian-security asked this to be handled quickly.

Tracker: http://security-tracker.debian.org/tracker/CVE-2011-4107
Exploit: http://www.exploit-db.com/exploits/18371/
OSVDB: http://osvdb.org/show/osvdb/76798

Please note that I have not validated this vulnerability and there is something strange going on as OSVDB has subject: "libraries/import/xml.php XML Data Entity References Parsing Remote Information Disclosure" and exploit-db is talking about LFI. Probably both are true. Contact me in case you need any help solving this issue. I can test and try to patch for example if needed. From MITRE's CVE-list:

======================================================
Name: CVE-2011-4107
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107
Phase: Assigned (20111018)
Category: 
Reference: FULLDISC:20111102 PhpMyAdmin Arbitrary File Reading
Reference: URL:http://seclists.org/fulldisclosure/2011/Nov/21
Reference: MISC:http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
Reference: MISC:http://www.wooyun.org/bugs/wooyun-2010-03185
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=751112
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
Reference: FEDORA:FEDORA-2011-15831
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html
Reference: FEDORA:FEDORA-2011-15841
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html
Reference: FEDORA:FEDORA-2011-15846
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html
Reference: BID:50497
Reference: URL:http://www.securityfocus.com/bid/50497
Reference: OSVDB:76798
Reference: URL:http://osvdb.org/76798
Reference: SECUNIA:46447
Reference: URL:http://secunia.com/advisories/46447
Reference: XF:phpmyadmin-xml-info-disclosure(71108)
Reference: URL:http://xforce.iss.net/xforce/xfdb/71108

The simplexml_load_string function in the XML import plug-in
(libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and
3.3.x before 3.3.10.5 allows remote authenticated users to read
arbitrary files via XML data containing external entity references,
aka an XML external entity (XXE) injection attack.


Current Votes:
None (candidate not yet proposed)
======================================================

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages phpmyadmin depends on:
ii  dbconfig-common        1.8.46+squeeze.0  common framework for packaging dat
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  libapache2-mod-php5    5.3.3-7+squeeze3  server-side, HTML-embedded scripti
ii  libjs-mootools         1.2.4.0~debian1-1 compact JavaScript framework
ii  perl                   5.10.1-17squeeze2 Larry Wall's Practical Extraction
ii  php5                   5.3.3-7+squeeze3  server-side, HTML-embedded scripti
ii  php5-cgi               5.3.3-7+squeeze3  server-side, HTML-embedded scripti
ii  php5-mcrypt            5.3.3-7+squeeze3  MCrypt module for php5
ii  php5-mysql             5.3.3-7+squeeze3  MySQL module for php5
ii  ucf                    3.0025+nmu1       Update Configuration File: preserv

Versions of packages phpmyadmin recommends:
ii  apache2                2.2.16-6+squeeze4 Apache HTTP Server metapackage
ii  apache2-mpm-prefork [h 2.2.16-6+squeeze4 Apache HTTP Server - traditional n
ii  mysql-client           5.1.49-3          MySQL database client (metapackage
ii  mysql-client-5.1 [mysq 5.1.49-3          MySQL database client binaries
ii  php5-gd                5.3.3-7+squeeze3  GD module for php5

Versions of packages phpmyadmin suggests:
pn  mysql-server                  <none>     (no description available)

-- debconf information excluded

Message #10 received at 656247@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: 656247@bugs.debian.org

Subject: phpmyadmin: Local File Inclusion via XXE-injection (CVE-2011-4107)

Date: Tue, 17 Jan 2012 22:01:29 +0200

tags security
severity critical

Message #19 received at 656247@bugs.debian.org (full text, mbox, reply):

From: "Thijs Kinkhorst" <thijs@debian.org>

To: "Henri Salo" <henri@nerv.fi>, 656247@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#656247: phpmyadmin: Local File Inclusion via XXE-injection (CVE-2011-4107)

Date: Thu, 19 Jan 2012 10:55:57 +0100

fixed 656247 4:3.4.7.1-1
thanks

On Tue, January 17, 2012 20:11, Henri Salo wrote:
> Package: phpmyadmin
> Version: 4:3.3.7-6
> Severity: normal
>
> Vulnerability in phpmyadmin in squeeze has been exploited wildly in
> public. Spion from #debian-security asked this to be handled quickly.

I will provide an update to stable later today.
Marking bug has fixed for wheezy/sid.


Thijs

Message #26 received at 656247-close@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 656247-close@bugs.debian.org

Subject: Bug#656247: fixed in phpmyadmin 4:3.3.7-7

Date: Sun, 22 Jan 2012 17:17:09 +0000

Source: phpmyadmin
Source-Version: 4:3.3.7-7

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_3.3.7-7.debian.tar.gz
  to main/p/phpmyadmin/phpmyadmin_3.3.7-7.debian.tar.gz
phpmyadmin_3.3.7-7.dsc
  to main/p/phpmyadmin/phpmyadmin_3.3.7-7.dsc
phpmyadmin_3.3.7-7_all.deb
  to main/p/phpmyadmin/phpmyadmin_3.3.7-7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 656247@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 22 Jan 2012 13:34:08 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:3.3.7-7
Distribution: stable-security
Urgency: low
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpmyadmin - MySQL web administration tool
Closes: 656247
Changes: 
 phpmyadmin (4:3.3.7-7) stable-security; urgency=low
 .
   * Upload to stable for security issues.
   * CVE-2011-4107: XML external entity (XXE) injection attack
     (closes: 656247).
   * CVE-2011-1940, CVE-2011-3181: XSS in tracking feature.
 .
   * Properly apply fix for minor issues
     CVE-2011-2642, CVE-2011-2719.
Checksums-Sha1: 
 88c764e6c6a8b04afd9091a0629c581138ee383e 1517 phpmyadmin_3.3.7-7.dsc
 cc1fabbe339386cbb50e94ac8247853356d3cd36 54285 phpmyadmin_3.3.7-7.debian.tar.gz
 13cdb5c981f912deb0013108ba2cc90b3fc5e518 4350820 phpmyadmin_3.3.7-7_all.deb
Checksums-Sha256: 
 fbcccd0bc28e5d9187e816b2d2fa1549b5d2a66a3fcb405f19ef9bbc9dc8be48 1517 phpmyadmin_3.3.7-7.dsc
 7e1b3a94cdcb7e7cbaab95315b1a4f24f17565fcca74039746700d625768e724 54285 phpmyadmin_3.3.7-7.debian.tar.gz
 302f5622f57b992a202489ac24474dba422dd0915402fac2e7b93786f2f4512d 4350820 phpmyadmin_3.3.7-7_all.deb
Files: 
 69508e5d49591e02ed84d85e5b33e489 1517 web extra phpmyadmin_3.3.7-7.dsc
 aab1facb7434dd4cec08e0926b11bf84 54285 web extra phpmyadmin_3.3.7-7.debian.tar.gz
 1ce755ea697d1dcf2ce8e0c39af2e204 4350820 web extra phpmyadmin_3.3.7-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJPHAS5AAoJEOxfUAG2iX57hX4IAJpr3aGdwtvVgCQ9Cu6YAqso
YPXzNm1Ap+PDPkD4+31R3W95ZZ0Uc8GTpggwMyC+7k26it9VAzhXM8pI+423jJai
KolLNiGZ+XkKvNsHqDZfkbijmXg0lJcSciIDd1bNbRbZmyFD3UPmRSUADX+RFbKW
BBIYnLlxiIQnN7HnP0EeOo/F932dqnMnfjcz8EkySV10dOvXLLZ3qDXapRK0pVvN
QjbBMOhiP/7mi01UqRvwP5CKdZbLxS4OkrmXEfKGVH3EOUIH3iMCXnfDCuz1Nj+n
v5VINr+bJzHrsD5IxSTG+CnceQX1Jr3gosH77txZraf2jgoipA78Vwr+mSpU4ak=
=7ZC9
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.