Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-4107

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2011-4107
Last Modified 06 Nov 2012 12:03:05
Published 17 Nov 2011 02:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-4107

Summary

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Vulnerable Systems

Application

  • Phpmyadmin 3.3.10.0

  • Phpmyadmin 3.3.10.1

  • Phpmyadmin 3.3.10.2

  • Phpmyadmin 3.3.10.3

  • Phpmyadmin 3.3.10.4

  • Phpmyadmin 3.3.5.1

  • Phpmyadmin 3.3.6

  • Phpmyadmin 3.3.7

  • Phpmyadmin 3.3.8

  • Phpmyadmin 3.3.8.1

  • Phpmyadmin 3.3.9.0

  • Phpmyadmin 3.3.9.1

  • Phpmyadmin 3.3.9.2

  • Phpmyadmin 3.4.0.0

  • Phpmyadmin 3.4.1.0

  • Phpmyadmin 3.4.2.0

  • Phpmyadmin 3.4.3.0

  • Phpmyadmin 3.4.3.1

  • Phpmyadmin 3.4.3.2

  • Phpmyadmin 3.4.4.0

  • Phpmyadmin 3.4.5.0

  • Phpmyadmin 3.4.6

  • Phpmyadmin 3.4.7


References

CONFIRM - http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php

MISC - https://bugzilla.redhat.com/show_bug.cgi?id=751112

XF - phpmyadmin-xml-info-disclosure(71108)

MISC - http://www.wooyun.org/bugs/wooyun-2010-03185

BID - 50497

SECUNIA - 46447

FULLDISC - 20111102 PhpMyAdmin Arbitrary File Reading

MISC - http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt

OSVDB - 76798

FEDORA - FEDORA-2011-15831

FEDORA - FEDORA-2011-15846

FEDORA - FEDORA-2011-15841

MANDRIVA - MDVSA-2011:198

SREASON - 8533

MLIST - [oss-security] 20111103 Re: CVE Request -- phpMyAdmin -- Arbitrary local file read flaw by loading XML strings / importing XML files

MLIST - [oss-security] 20111103 CVE Request -- phpMyAdmin -- Arbitrary local file read flaw by loading XML strings / importing XML files

DEBIAN - DSA-2391


Last Updated: 27 May 2016 10:57:16