National Cyber Awareness System

Vulnerability Summary for CVE-2011-4107

Overview

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php

Type: Advisory; Patch Information

Hyperlink:http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php

External Source: MISC

Name: https://bugzilla.redhat.com/show_bug.cgi?id=751112

Hyperlink:https://bugzilla.redhat.com/show_bug.cgi?id=751112

External Source: XF

Name: phpmyadmin-xml-info-disclosure(71108)

Hyperlink:http://xforce.iss.net/xforce/xfdb/71108

External Source: MISC

Name: http://www.wooyun.org/bugs/wooyun-2010-03185

Hyperlink:http://www.wooyun.org/bugs/wooyun-2010-03185

External Source: BID

Name: 50497

Hyperlink:http://www.securityfocus.com/bid/50497

External Source: MLIST

Name: [oss-security] 20111103 Re: CVE Request -- phpMyAdmin -- Arbitrary local file read flaw by loading XML strings / importing XML files

Hyperlink:http://www.openwall.com/lists/oss-security/2011/11/03/5

External Source: MLIST

Name: [oss-security] 20111103 CVE Request -- phpMyAdmin -- Arbitrary local file read flaw by loading XML strings / importing XML files

Hyperlink:http://www.openwall.com/lists/oss-security/2011/11/03/3

External Source: MANDRIVA

Name: MDVSA-2011:198

Hyperlink:http://www.mandriva.com/security/advisories?name=MDVSA-2011:198

External Source: DEBIAN

Name: DSA-2391

Hyperlink:http://www.debian.org/security/2012/dsa-2391

External Source: SREASON

Name: 8533

Hyperlink:http://securityreason.com/securityalert/8533

External Source: SECUNIA

Name: 46447

Type: Advisory

Hyperlink:http://secunia.com/advisories/46447

External Source: FULLDISC

Name: 20111102 PhpMyAdmin Arbitrary File Reading

Hyperlink:http://seclists.org/fulldisclosure/2011/Nov/21

External Source: MISC

Name: http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt

Hyperlink:http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt

External Source: OSVDB

Name: 76798

Hyperlink:http://osvdb.org/76798

External Source: FEDORA

Name: FEDORA-2011-15831

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html

External Source: FEDORA

Name: FEDORA-2011-15846

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html

External Source: FEDORA

Name: FEDORA-2011-15841

Hyperlink:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html