Bug 9863 - phpmyadmin new security issues fixed in 3.5.8.1
Summary: phpmyadmin new security issues fixed in 3.5.8.1
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: has_procedure mga2-64-ok mga2-32-ok
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2013-04-25 00:17 CEST by David Walser
Modified: 2013-05-02 19:30 CEST (History)
3 users (show)

See Also:
Source RPM: phpmyadmin-3.5.8.1-1.mga2.src.rpm
CVE:
Status comment:


Attachments

David Walser 2013-04-25 00:17:47 CEST

Whiteboard: (none) => MGA2TOO

Comment 1 José Jorge 2013-04-25 09:49:03 CEST
Pushed to cauldron

Status: NEW => ASSIGNED

Comment 2 José Jorge 2013-04-25 09:54:15 CEST
Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

phpMyAdmin 3.5.8.1 has been released to fix a number of security problems. Also, the third release candidate for phpMyAdmin 4.0.0 has been released, containing normal bug fixes for 4.0, along with security fixes.

For more details, see the upcoming PMASA-2013-2, PMASA-2013-3, PMASA-2013-4 and PMASA-2013-5.
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.8.1-1.mga2

from phpmyadmin-3.5.8.1-1.mga2.src.rpm
José Jorge 2013-04-25 09:57:30 CEST

Assignee: lists.jjorge => qa-bugs

claire robinson 2013-04-25 10:52:41 CEST

Version: Cauldron => 2
Source RPM: phpmyadmin-3.5.8-1.mga3.src.rpm => phpmyadmin-3.5.8.1-1.mga2.src.rpm
Whiteboard: MGA2TOO => (none)

Comment 3 claire robinson 2013-04-25 10:53:36 CEST
Any CVE's you want to attach to this David?
Comment 4 David Walser 2013-04-25 15:33:11 CEST
Yes, they're listed in the upstream advisories.  Actually, they say only the first two affect 3.5.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerabilities:

In some PHP versions, the preg_replace() function can be tricked into
executing arbitrary PHP code on the server. This is done by passing a
crafted argument as the regular expression, containing a null byte.
phpMyAdmin does not correctly sanitize an argument passed to preg_replace()
when using the "Replace table prefix" feature, opening the way to this
vulnerability (CVE-2013-3238).

phpMyAdmin can be configured to save an export file on the web server, via
its SaveDir directive. With this in place, it's possible, either via a
crafted filename template or a crafted table name, to save a double
extension file like foobar.php.sql. In turn, an Apache webserver on which
there is no definition for the MIME type "sql" (the default) will treat
this saved file as a ".php" script, leading to remote code execution
(CVE-2013-3239).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3238
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3239
http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.8.1-1.mga2

from phpmyadmin-3.5.8.1-1.mga2.src.rpm
Comment 5 David Walser 2013-04-25 16:48:25 CEST
Fixed now for Cauldron in phpmyadmin-3.5.8.1-1.mga3.
Comment 6 claire robinson 2013-04-25 18:54:05 CEST
PoC: http://www.waraxe.us/advisory-103.html

Testing mga2 64

This is an upstream release rather than patched packaged but confirmed vulnerable with the PoC anyway and confirmed closed after updating.

Everything seems fine. Created/dropped databases/users etc.

Whiteboard: (none) => has_procedure mga2-64-ok

Comment 7 claire robinson 2013-04-25 18:59:34 CEST
Testing complete mga2 32

Validating

SRPM & advisory in comment 4

Could sysadmin please push from core/updates_testing to core/updates

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga2-32-ok
CC: (none) => sysadmin-bugs

Comment 8 Oden Eriksson 2013-04-26 08:16:10 CEST
======================================================
Name: CVE-2013-3238
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3238
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130422
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php
Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/dedd542cdaf1606ca9aa3f6f8f8adb078d8ad549
Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/ffa720d90a79c1f33cf4c5a33403d09a67b42a66

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote
authenticated users to execute arbitrary code via a /e\x00 sequence,
which is not properly handled before making a preg_replace function
call within the "Replace table prefix" feature.



======================================================
Name: CVE-2013-3239
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3239
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130422
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php
Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48
Reference: CONFIRM:https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8a

phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir
directory is configured, allows remote authenticated users to execute
arbitrary code by using a double extension in the filename of an
export file, leading to interpretation of this file as an executable
file by the Apache HTTP Server, as demonstrated by a .php.sql
filename.



======================================================
Name: CVE-2013-3240
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3240
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130422
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-4.php

Directory traversal vulnerability in the Export feature in phpMyAdmin
4.x before 4.0.0-rc3 allows remote authenticated users to read
arbitrary files or possibly have unspecified other impact via a
parameter that specifies a crafted export type.



======================================================
Name: CVE-2013-3241
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3241
Final-Decision: 
Interim-Decision: 
Modified: 
Proposed: 
Assigned: 20130422
Category: 
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2013-5.php

export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3
overwrites global variables on the basis of the contents of the POST
superglobal array, which allows remote authenticated users to inject
values via a crafted request.

CC: (none) => oe

Comment 9 Thomas Backlund 2013-05-02 19:30:17 CEST
Updatge pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0133

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.