Bug 824302 (CVE-2013-3239)

Summary: VUL-0: phpMyAdmin: CVE-2013-3239: Locally Saved SQL Dump File Multiple File Extension Remote Code Execution.
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mrueckert
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2013-06-11 02:25:26 UTC 
Public via PMASA-2013-3:

http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php


 PMASA-2013-3
 ------------

Announcement-ID: PMASA-2013-3

Date: 2013-04-24

Summary:

Locally Saved SQL Dump File Multiple File Extension Remote Code Execution.

Description:

phpMyAdmin can be configured to save an export file on the web server, via its SaveDir directive. With this in place, it's possible, either via a crafted filename template or a crafted table name, to save a double extension file like foobar.php.sql. In turn, an Apache webserver on which there is no definition for the MIME type "sql" (the default) will treat this saved file as a ".php" script, leading to remote code execution.

Severity:

We consider this vulnerability to be serious.

Mitigation factor:

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users to access the required form. Moreover, the SaveDir directive is empty by default, so a default configuration is not vulnerable. The $cfg['SaveDir'] directive must be configured, and the server must be running Apache with mod_mime to be exploitable.

Affected Versions:

Versions 3.5.x and 4.0.0 (before -rc3) are affected.
Solution

For 3.5.x, upgrade to phpMyAdmin 3.5.8 or newer; for 4.0.x, upgrade to 4.0.0-rc3 or newer. You can also apply the patches listed below.

References:

Thanks to Janek Vind for reporting this issue.

Assigned CVE ids: CVE-2013-3239
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3239

CWE ids: CWE-661 CWE-94 
http://cwe.mitre.org/data/definitions/661.html
http://cwe.mitre.org/data/definitions/94.html

Patches:

The following commits have been made on the 3.5 branch to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8a
https://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48
Comment 1 Swamp Workflow Management 2013-06-11 16:00:30 UTC 
bugbot adjusting priority
Comment 2 Christian Wittmer 2013-06-12 16:21:39 UTC 
fixed with update to 3.5.8.1
- Factory is > 3.5.8.1
- Maintenance request created for 12.2 and 12.3
Comment 3 Swamp Workflow Management 2013-06-21 05:05:23 UTC 
openSUSE-SU-2013:1065-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 814678,824301,824302
CVE References: CVE-2013-1937,CVE-2013-3238,CVE-2013-3239
Sources used:
openSUSE 12.3 (src):    phpMyAdmin-3.5.8.1-1.4.1
openSUSE 12.2 (src):    phpMyAdmin-3.5.8.1-1.12.1