SB2011071503 - Multiple vulnerabilities in phpMyAdmin

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2011-2508)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences in libraries/display_tbl.lib.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1, when a certain MIME transformation feature is enabled,. A remote authenticated attacker can send a specially crafted HTTP request and remote authenticated users to include and execute arbitrary local files via a . (dot dot) in a GLOBALS[mime_map][$meta->name][transformation] parameter.

2) Code Injection (CVE-ID: CVE-2011-2505)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."

3) Code Injection (CVE-ID: CVE-2011-2506)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.

4) Code Injection (CVE-ID: CVE-2011-2507)

The vulnerability allows a remote #AU# to read and manipulate data.

libraries/server_synchronize.lib.php in the Synchronize implementation in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, which allows remote authenticated users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and consequently execute arbitrary PHP code, by leveraging the ability to modify the SESSION superglobal array.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

• http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.html
• http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.html
• http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=b434320eff8ca9c2fc1b043c1804f868341af9a7
• http://secunia.com/advisories/45139
• http://secunia.com/advisories/45292
• http://secunia.com/advisories/45315
• http://securityreason.com/securityalert/8306
• http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/
• http://www.debian.org/security/2011/dsa-2286
• http://www.mandriva.com/security/advisories?name=MDVSA-2011:124
• http://www.openwall.com/lists/oss-security/2011/06/28/2
• http://www.openwall.com/lists/oss-security/2011/06/28/6
• http://www.openwall.com/lists/oss-security/2011/06/28/8
• http://www.openwall.com/lists/oss-security/2011/06/29/11
• http://www.osvdb.org/73614
• http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php
• http://www.securityfocus.com/archive/1/518804/100/0/threaded
• http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
• http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=7ebd958b2bf59f96fecd5b3322bdbd0b244a7967
• http://www.exploit-db.com/exploits/17514/
• http://www.osvdb.org/73611
• http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php
• http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=0fbedaf5fd7a771d0885c6b7385d934fc90d0d7f
• http://www.osvdb.org/73612
• http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php
• http://0x6a616d6573.blogspot.com/2011/07/phpmyadmin-fud.html
• http://ha.xxor.se/2011/07/phpmyadmin-3x-pregreplace-rce-poc.html
• http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=69fb0f8e7dc38075427aceaf09bcac697d0590ff
• http://www.osvdb.org/73613
• http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php