Debian Bug report logs - #656247
phpmyadmin: Local File Inclusion via XXE-injection (CVE-2011-4107)

version graph

Package: phpmyadmin; Maintainer for phpmyadmin is Thijs Kinkhorst <thijs@debian.org>; Source for phpmyadmin is src:phpmyadmin.

Reported by: Henri Salo <henri@nerv.fi>

Date: Tue, 17 Jan 2012 19:21:02 UTC

Severity: critical

Tags: security

Found in version 4:3.3.7-6

Fixed in versions phpmyadmin/4:3.4.7.1-1, phpmyadmin/4:3.3.7-7

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#656247; Package phpmyadmin. (Tue, 17 Jan 2012 19:21:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
New Bug report received and forwarded. Copy sent to Thijs Kinkhorst <thijs@debian.org>. (Tue, 17 Jan 2012 19:21:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: submit@bugs.debian.org
Subject: phpmyadmin: Local File Inclusion via XXE-injection (CVE-2011-4107)
Date: Tue, 17 Jan 2012 21:11:38 +0200
Package: phpmyadmin
Version: 4:3.3.7-6
Severity: normal

Vulnerability in phpmyadmin in squeeze has been exploited wildly in public. Spion from #debian-security asked this to be handled quickly.

Tracker: http://security-tracker.debian.org/tracker/CVE-2011-4107
Exploit: http://www.exploit-db.com/exploits/18371/
OSVDB: http://osvdb.org/show/osvdb/76798

Please note that I have not validated this vulnerability and there is something strange going on as OSVDB has subject: "libraries/import/xml.php XML Data Entity References Parsing Remote Information Disclosure" and exploit-db is talking about LFI. Probably both are true. Contact me in case you need any help solving this issue. I can test and try to patch for example if needed. From MITRE's CVE-list:

======================================================
Name: CVE-2011-4107
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107
Phase: Assigned (20111018)
Category: 
Reference: FULLDISC:20111102 PhpMyAdmin Arbitrary File Reading
Reference: URL:http://seclists.org/fulldisclosure/2011/Nov/21
Reference: MISC:http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
Reference: MISC:http://www.wooyun.org/bugs/wooyun-2010-03185
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=751112
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
Reference: FEDORA:FEDORA-2011-15831
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html
Reference: FEDORA:FEDORA-2011-15841
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html
Reference: FEDORA:FEDORA-2011-15846
Reference: URL:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html
Reference: BID:50497
Reference: URL:http://www.securityfocus.com/bid/50497
Reference: OSVDB:76798
Reference: URL:http://osvdb.org/76798
Reference: SECUNIA:46447
Reference: URL:http://secunia.com/advisories/46447
Reference: XF:phpmyadmin-xml-info-disclosure(71108)
Reference: URL:http://xforce.iss.net/xforce/xfdb/71108

The simplexml_load_string function in the XML import plug-in
(libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and
3.3.x before 3.3.10.5 allows remote authenticated users to read
arbitrary files via XML data containing external entity references,
aka an XML external entity (XXE) injection attack.


Current Votes:
None (candidate not yet proposed)
======================================================

-- System Information:
Debian Release: 6.0.3
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages phpmyadmin depends on:
ii  dbconfig-common        1.8.46+squeeze.0  common framework for packaging dat
ii  debconf [debconf-2.0]  1.5.36.1          Debian configuration management sy
ii  libapache2-mod-php5    5.3.3-7+squeeze3  server-side, HTML-embedded scripti
ii  libjs-mootools         1.2.4.0~debian1-1 compact JavaScript framework
ii  perl                   5.10.1-17squeeze2 Larry Wall's Practical Extraction
ii  php5                   5.3.3-7+squeeze3  server-side, HTML-embedded scripti
ii  php5-cgi               5.3.3-7+squeeze3  server-side, HTML-embedded scripti
ii  php5-mcrypt            5.3.3-7+squeeze3  MCrypt module for php5
ii  php5-mysql             5.3.3-7+squeeze3  MySQL module for php5
ii  ucf                    3.0025+nmu1       Update Configuration File: preserv

Versions of packages phpmyadmin recommends:
ii  apache2                2.2.16-6+squeeze4 Apache HTTP Server metapackage
ii  apache2-mpm-prefork [h 2.2.16-6+squeeze4 Apache HTTP Server - traditional n
ii  mysql-client           5.1.49-3          MySQL database client (metapackage
ii  mysql-client-5.1 [mysq 5.1.49-3          MySQL database client binaries
ii  php5-gd                5.3.3-7+squeeze3  GD module for php5

Versions of packages phpmyadmin suggests:
pn  mysql-server                  <none>     (no description available)

-- debconf information excluded




Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#656247; Package phpmyadmin. (Tue, 17 Jan 2012 20:12:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Henri Salo <henri@nerv.fi>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>. (Tue, 17 Jan 2012 20:12:06 GMT) Full text and rfc822 format available.

Message #10 received at 656247@bugs.debian.org (full text, mbox):

From: Henri Salo <henri@nerv.fi>
To: 656247@bugs.debian.org
Subject: phpmyadmin: Local File Inclusion via XXE-injection (CVE-2011-4107)
Date: Tue, 17 Jan 2012 22:01:29 +0200
tags security
severity critical




Severity set to 'critical' from 'normal' Request was from Jan Wagner <waja@cyconet.org> to control@bugs.debian.org. (Tue, 17 Jan 2012 20:45:05 GMT) Full text and rfc822 format available.

Added tag(s) security. Request was from Jan Wagner <waja@cyconet.org> to control@bugs.debian.org. (Tue, 17 Jan 2012 20:45:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>:
Bug#656247; Package phpmyadmin. (Thu, 19 Jan 2012 09:57:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Thijs Kinkhorst" <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>. (Thu, 19 Jan 2012 09:57:14 GMT) Full text and rfc822 format available.

Message #19 received at 656247@bugs.debian.org (full text, mbox):

From: "Thijs Kinkhorst" <thijs@debian.org>
To: "Henri Salo" <henri@nerv.fi>, 656247@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#656247: phpmyadmin: Local File Inclusion via XXE-injection (CVE-2011-4107)
Date: Thu, 19 Jan 2012 10:55:57 +0100
fixed 656247 4:3.4.7.1-1
thanks

On Tue, January 17, 2012 20:11, Henri Salo wrote:
> Package: phpmyadmin
> Version: 4:3.3.7-6
> Severity: normal
>
> Vulnerability in phpmyadmin in squeeze has been exploited wildly in
> public. Spion from #debian-security asked this to be handled quickly.

I will provide an update to stable later today.
Marking bug has fixed for wheezy/sid.


Thijs





Bug Marked as fixed in versions phpmyadmin/4:3.4.7.1-1. Request was from "Thijs Kinkhorst" <thijs@debian.org> to control@bugs.debian.org. (Thu, 19 Jan 2012 09:57:17 GMT) Full text and rfc822 format available.

Reply sent to Thijs Kinkhorst <thijs@debian.org>:
You have taken responsibility. (Sun, 22 Jan 2012 17:21:07 GMT) Full text and rfc822 format available.

Notification sent to Henri Salo <henri@nerv.fi>:
Bug acknowledged by developer. (Sun, 22 Jan 2012 17:21:07 GMT) Full text and rfc822 format available.

Message #26 received at 656247-close@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: 656247-close@bugs.debian.org
Subject: Bug#656247: fixed in phpmyadmin 4:3.3.7-7
Date: Sun, 22 Jan 2012 17:17:09 +0000
Source: phpmyadmin
Source-Version: 4:3.3.7-7

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_3.3.7-7.debian.tar.gz
  to main/p/phpmyadmin/phpmyadmin_3.3.7-7.debian.tar.gz
phpmyadmin_3.3.7-7.dsc
  to main/p/phpmyadmin/phpmyadmin_3.3.7-7.dsc
phpmyadmin_3.3.7-7_all.deb
  to main/p/phpmyadmin/phpmyadmin_3.3.7-7_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 656247@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thijs Kinkhorst <thijs@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 22 Jan 2012 13:34:08 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:3.3.7-7
Distribution: stable-security
Urgency: low
Maintainer: Thijs Kinkhorst <thijs@debian.org>
Changed-By: Thijs Kinkhorst <thijs@debian.org>
Description: 
 phpmyadmin - MySQL web administration tool
Closes: 656247
Changes: 
 phpmyadmin (4:3.3.7-7) stable-security; urgency=low
 .
   * Upload to stable for security issues.
   * CVE-2011-4107: XML external entity (XXE) injection attack
     (closes: 656247).
   * CVE-2011-1940, CVE-2011-3181: XSS in tracking feature.
 .
   * Properly apply fix for minor issues
     CVE-2011-2642, CVE-2011-2719.
Checksums-Sha1: 
 88c764e6c6a8b04afd9091a0629c581138ee383e 1517 phpmyadmin_3.3.7-7.dsc
 cc1fabbe339386cbb50e94ac8247853356d3cd36 54285 phpmyadmin_3.3.7-7.debian.tar.gz
 13cdb5c981f912deb0013108ba2cc90b3fc5e518 4350820 phpmyadmin_3.3.7-7_all.deb
Checksums-Sha256: 
 fbcccd0bc28e5d9187e816b2d2fa1549b5d2a66a3fcb405f19ef9bbc9dc8be48 1517 phpmyadmin_3.3.7-7.dsc
 7e1b3a94cdcb7e7cbaab95315b1a4f24f17565fcca74039746700d625768e724 54285 phpmyadmin_3.3.7-7.debian.tar.gz
 302f5622f57b992a202489ac24474dba422dd0915402fac2e7b93786f2f4512d 4350820 phpmyadmin_3.3.7-7_all.deb
Files: 
 69508e5d49591e02ed84d85e5b33e489 1517 web extra phpmyadmin_3.3.7-7.dsc
 aab1facb7434dd4cec08e0926b11bf84 54285 web extra phpmyadmin_3.3.7-7.debian.tar.gz
 1ce755ea697d1dcf2ce8e0c39af2e204 4350820 web extra phpmyadmin_3.3.7-7_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJPHAS5AAoJEOxfUAG2iX57hX4IAJpr3aGdwtvVgCQ9Cu6YAqso
YPXzNm1Ap+PDPkD4+31R3W95ZZ0Uc8GTpggwMyC+7k26it9VAzhXM8pI+423jJai
KolLNiGZ+XkKvNsHqDZfkbijmXg0lJcSciIDd1bNbRbZmyFD3UPmRSUADX+RFbKW
BBIYnLlxiIQnN7HnP0EeOo/F932dqnMnfjcz8EkySV10dOvXLLZ3qDXapRK0pVvN
QjbBMOhiP/7mi01UqRvwP5CKdZbLxS4OkrmXEfKGVH3EOUIH3iMCXnfDCuz1Nj+n
v5VINr+bJzHrsD5IxSTG+CnceQX1Jr3gosH77txZraf2jgoipA78Vwr+mSpU4ak=
=7ZC9
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 20 Feb 2012 07:39:38 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 07:57:18 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.