PMASA-2013-7
Announcement-ID: PMASA-2013-7
Date: 2013-06-30
Updated: 2013-07-01
Summary
Global variable scope injection.
Description
The import.php script was vulnerable to GLOBALS variable injection. Therefore, an attacker could manipulate any configuration parameter.
Severity
We consider this vulnerability to be serious.
Mitigation factor
This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form.
Affected Versions
Versions 4.0.x up to 4.0.4 are affected.
Unaffected Versions
Versions prior to 4.0.0 are not affected.
Solution
Upgrade to phpMyAdmin 4.0.4.1 or newer, or apply the patch listed below.
References
Thanks to Markus Wulftange of Daimler TSS for reporting this issue.
Assigned CVE ids: CVE-2013-4729
CWE ids: CWE-621 CWE-661
Patches
import.php
@@ -122,6 +122,24 @@
* We only need to load the selected plugin
*/
+if (! in_array(
+ $format,
+ array(
+ 'csv',
+ 'ldi',
+ 'mediawiki',
+ 'ods',
+ 'shp',
+ 'sql',
+ 'xml'
+ )
+)
+) {
+ // this should not happen for a normal user
+ // but only during an attack
+ PMA_fatalError('Incorrect format parameter');
+}
+
$post_patterns = array(
'/^force_file_/',
'/^'. $format . '_/'
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum