Bug 824302 - (CVE-2013-3239) VUL-0: phpMyAdmin: CVE-2013-3239: Locally Saved SQL Dump File Multiple File Extension Remote Code Execution.
(CVE-2013-3239)
VUL-0: phpMyAdmin: CVE-2013-3239: Locally Saved SQL Dump File Multiple File E...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-11 02:25 UTC by Alexander Bergmann
Modified: 2015-02-19 01:20 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-06-11 02:25:26 UTC
Public via PMASA-2013-3:

http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php


 PMASA-2013-3
 ------------

Announcement-ID: PMASA-2013-3

Date: 2013-04-24

Summary:

Locally Saved SQL Dump File Multiple File Extension Remote Code Execution.

Description:

phpMyAdmin can be configured to save an export file on the web server, via its SaveDir directive. With this in place, it's possible, either via a crafted filename template or a crafted table name, to save a double extension file like foobar.php.sql. In turn, an Apache webserver on which there is no definition for the MIME type "sql" (the default) will treat this saved file as a ".php" script, leading to remote code execution.

Severity:

We consider this vulnerability to be serious.

Mitigation factor:

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users to access the required form. Moreover, the SaveDir directive is empty by default, so a default configuration is not vulnerable. The $cfg['SaveDir'] directive must be configured, and the server must be running Apache with mod_mime to be exploitable.

Affected Versions:

Versions 3.5.x and 4.0.0 (before -rc3) are affected.
Solution

For 3.5.x, upgrade to phpMyAdmin 3.5.8 or newer; for 4.0.x, upgrade to 4.0.0-rc3 or newer. You can also apply the patches listed below.

References:

Thanks to Janek Vind for reporting this issue.

Assigned CVE ids: CVE-2013-3239
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3239

CWE ids: CWE-661 CWE-94 
http://cwe.mitre.org/data/definitions/661.html
http://cwe.mitre.org/data/definitions/94.html

Patches:

The following commits have been made on the 3.5 branch to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8a
https://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48
Comment 1 Swamp Workflow Management 2013-06-11 16:00:30 UTC
bugbot adjusting priority
Comment 2 Christian Wittmer 2013-06-12 16:21:39 UTC
fixed with update to 3.5.8.1
- Factory is > 3.5.8.1
- Maintenance request created for 12.2 and 12.3
Comment 3 Swamp Workflow Management 2013-06-21 05:05:23 UTC
openSUSE-SU-2013:1065-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 814678,824301,824302
CVE References: CVE-2013-1937,CVE-2013-3238,CVE-2013-3239
Sources used:
openSUSE 12.3 (src):    phpMyAdmin-3.5.8.1-1.4.1
openSUSE 12.2 (src):    phpMyAdmin-3.5.8.1-1.12.1