Bug 9863 - phpmyadmin new security issues fixed in 3.5.8.1
: phpmyadmin new security issues fixed in 3.5.8.1
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
:
: has_procedure mga2-64-ok mga2-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2013-04-25 00:17 CEST by David Walser
Modified: 2013-05-02 19:30 CEST (History)
3 users (show)

See Also:
Source RPM: phpmyadmin-3.5.8.1-1.mga2.src.rpm
CVE:
Status comment:


Attachments

Comment 1 José Jorge 2013-04-25 09:49:03 CEST
Pushed to cauldron
Comment 2 José Jorge 2013-04-25 09:54:15 CEST
Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

phpMyAdmin 3.5.8.1 has been released to fix a number of security problems. Also, the third release candidate for phpMyAdmin 4.0.0 has been released, containing normal bug fixes for 4.0, along with security fixes.

For more details, see the upcoming PMASA-2013-2, PMASA-2013-3, PMASA-2013-4 and PMASA-2013-5.
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.8.1-1.mga2

from phpmyadmin-3.5.8.1-1.mga2.src.rpm
Comment 3 claire robinson 2013-04-25 10:53:36 CEST
Any CVE's you want to attach to this David?
Comment 4 David Walser 2013-04-25 15:33:11 CEST
Yes, they're listed in the upstream advisories.  Actually, they say only the first two affect 3.5.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerabilities:

In some PHP versions, the preg_replace() function can be tricked into
executing arbitrary PHP code on the server. This is done by passing a
crafted argument as the regular expression, containing a null byte.
phpMyAdmin does not correctly sanitize an argument passed to preg_replace()
when using the "Replace table prefix" feature, opening the way to this
vulnerability (CVE-2013-3238).

phpMyAdmin can be configured to save an export file on the web server, via
its SaveDir directive. With this in place, it's possible, either via a
crafted filename template or a crafted table name, to save a double
extension file like foobar.php.sql. In turn, an Apache webserver on which
there is no definition for the MIME type "sql" (the default) will treat
this saved file as a ".php" script, leading to remote code execution
(CVE-2013-3239).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3238
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3239
http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.8.1-1.mga2

from phpmyadmin-3.5.8.1-1.mga2.src.rpm
Comment 5 David Walser 2013-04-25 16:48:25 CEST
Fixed now for Cauldron in phpmyadmin-3.5.8.1-1.mga3.
Comment 6 claire robinson 2013-04-25 18:54:05 CEST
PoC: http://www.waraxe.us/advisory-103.html

Testing mga2 64

This is an upstream release rather than patched packaged but confirmed vulnerable with the PoC anyway and confirmed closed after updating.

Everything seems fine. Created/dropped databases/users etc.
Comment 7 claire robinson 2013-04-25 18:59:34 CEST
Testing complete mga2 32

Validating

SRPM & advisory in comment 4

Could sysadmin please push from core/updates_testing to core/updates

Thanks!
Comment 8 Oden Eriksson 2013-04-26 08:16:10 CEST
======================================================
Name: CVE-2013-3238
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3238
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130422
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php
Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/dedd542cdaf1606ca9aa3f6f8f8adb078d8ad549
Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/ffa720d90a79c1f33cf4c5a33403d09a67b42a66

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote
authenticated users to execute arbitrary code via a /e\x00 sequence,
which is not properly handled before making a preg_replace function
call within the "Replace table prefix" feature.



======================================================
Name: CVE-2013-3239
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3239
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130422
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php
Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48
Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8a

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir
directory is configured, allows remote authenticated users to execute
arbitrary code by using a double extension in the filename of an
export file, leading to interpretation of this file as an executable
file by the Apache HTTP Server, as demonstrated by a .php.sql
filename.



======================================================
Name: CVE-2013-3240
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3240
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130422
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-4.php

Directory traversal vulnerability in the Export feature in phpMyAdmin
4.x before 4.0.0-rc3 allows remote authenticated users to read
arbitrary files or possibly have unspecified other impact via a
parameter that specifies a crafted export type.



======================================================
Name: CVE-2013-3241
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3241
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130422
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-5.php

export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3
overwrites global variables on the basis of the contents of the POST
superglobal array, which allows remote authenticated users to inject
values via a crafted request.
Comment 9 Thomas Backlund 2013-05-02 19:30:17 CEST
Updatge pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0133

Note You need to log in before you can comment on or make changes to this bug.