Bug 824301 - (CVE-2013-3238) VUL-0: phpMyAdmin: CVE-2013-3238: Remote code execution via preg_replace().
(CVE-2013-3238)
VUL-0: phpMyAdmin: CVE-2013-3238: Remote code execution via preg_replace().
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-11 02:25 UTC by Alexander Bergmann
Modified: 2015-02-19 01:20 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-06-11 02:25:20 UTC
Public via PMASA-2013-2.

http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php


 PMASA-2013-2
 ------------

Announcement-ID: PMASA-2013-2

Date: 2013-04-24

Summary:

Remote code execution via preg_replace().

Description:

In some PHP versions, the preg_replace() function can be tricked into executing arbitrary PHP code on the server. This is done by passing a crafted argument as the regular expression, containing a null byte. phpMyAdmin does not correctly sanitize an argument passed to preg_replace() when using the "Replace table prefix" feature, opening the way to this vulnerability.

Severity:

We consider this vulnerability to be serious.

Mitigation factor:

This vulnerability can be triggered only by someone who logged in to phpMyAdmi, as the usual token protection prevents non-logged-in users to access the required form.

Affected Versions:

Versions 3.5.x and 4.0.0 (before -rc3) are affected.

Solution:

For 3.5.x, upgrade to phpMyAdmin 3.5.8 or newer; for 4.0.x, upgrade to 4.0.0-rc3 or newer. You can also apply the patches listed below.
References

Thanks to Janek Vind for reporting this issue.

Assigned CVE ids: CVE-2013-3238
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3238
CWE ids: CWE-661 CWE-94
http://cwe.mitre.org/data/definitions/661.html
http://cwe.mitre.org/data/definitions/94.html

Patches:

The following commits have been made on the 3.5 branch to fix this issue:

https://github.com/phpmyadmin/phpmyadmin/commit/dedd542cdaf1606ca9aa3f6f8f8adb078d8ad549
https://github.com/phpmyadmin/phpmyadmin/commit/ffa720d90a79c1f33cf4c5a33403d09a67b42a66
Comment 1 Swamp Workflow Management 2013-06-11 16:00:25 UTC
bugbot adjusting priority
Comment 2 Christian Wittmer 2013-06-12 16:20:44 UTC
fixed with update to 3.5.8.1
- Factory is > 3.5.8.1
- Maintenance request created for 12.2 and 12.3
Comment 3 Swamp Workflow Management 2013-06-21 05:05:07 UTC
openSUSE-SU-2013:1065-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 814678,824301,824302
CVE References: CVE-2013-1937,CVE-2013-3238,CVE-2013-3239
Sources used:
openSUSE 12.3 (src):    phpMyAdmin-3.5.8.1-1.4.1
openSUSE 12.2 (src):    phpMyAdmin-3.5.8.1-1.12.1