Vulnerabilities > CVE-2011-4107 - XXE vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
| description | phpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection. CVE-2011-4107. Webapps exploit for php platform |
| id | EDB-ID:18371 |
| last seen | 2016-02-02 |
| modified | 2012-01-14 |
| published | 2012-01-14 |
| reporter | Marco Batista |
| source | https://www.exploit-db.com/download/18371/ |
| title | phpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection |
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2011-15841.NASL description Changes for 3.4.7.1 (2011-11-10) : - [security] Fixed possible local file inclusion in XML import (CVE-2011-4107) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56925 published 2011-11-23 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56925 title Fedora 16 : phpMyAdmin-3.4.7.1-1.fc16 (2011-15841) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2011-15841. # include("compat.inc"); if (description) { script_id(56925); script_version("1.8"); script_cvs_date("Date: 2019/08/02 13:32:34"); script_cve_id("CVE-2011-4107"); script_xref(name:"FEDORA", value:"2011-15841"); script_name(english:"Fedora 16 : phpMyAdmin-3.4.7.1-1.fc16 (2011-15841)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Changes for 3.4.7.1 (2011-11-10) : - [security] Fixed possible local file inclusion in XML import (CVE-2011-4107) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=753119" ); # https://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?01558bf8" ); script_set_attribute( attribute:"solution", value:"Update the affected phpMyAdmin package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:phpMyAdmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16"); script_set_attribute(attribute:"patch_publication_date", value:"2011/11/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC16", reference:"phpMyAdmin-3.4.7.1-1.fc16")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin"); }NASL family Fedora Local Security Checks NASL id FEDORA_2011-15846.NASL description Changes for 3.4.7.1 (2011-11-10) : - [security] Fixed possible local file inclusion in XML import (CVE-2011-4107) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56926 published 2011-11-23 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56926 title Fedora 15 : phpMyAdmin-3.4.7.1-1.fc15 (2011-15846) NASL family Fedora Local Security Checks NASL id FEDORA_2011-15831.NASL description Changes for 3.4.7.1 (2011-11-10) : - [security] Fixed possible local file inclusion in XML import (CVE-2011-4107) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 56924 published 2011-11-23 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/56924 title Fedora 14 : phpMyAdmin-3.4.7.1-1.fc14 (2011-15831) NASL family CGI abuses NASL id PHPMYADMIN_PMASA_2011_17.NASL description According to its self-identified version number, the phpMyAdmin install hosted on the remote web server is affected by an information disclosure vulnerability. The vulnerability, which is in the simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.3.x before 3.3.10.5 and 3.4.x before 3.4.7.1, allows remote, authenticated users to read arbitrary files via XML data containing external entity references. last seen 2020-06-01 modified 2020-06-02 plugin id 59211 published 2012-05-21 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/59211 title phpMyAdmin simplexml_load_string() Function Information Disclosure (PMASA-2011-17) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_1F6EE7080D2211E1B5BD14DAE938EC40.NASL description Jan Lieskovsky reports : Importing a specially crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server). last seen 2020-06-01 modified 2020-06-02 plugin id 56804 published 2011-11-14 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56804 title FreeBSD : phpmyadmin -- Local file inclusion (1f6ee708-0d22-11e1-b5bd-14dae938ec40) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2391.NASL description Several vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2011-4107 The XML import plugin allowed a remote attacker to read arbitrary files via XML data containing external entity references. - CVE-2011-1940, CVE-2011-3181 Cross site scripting was possible in the table tracking feature, allowing a remote attacker to inject arbitrary web script or HTML. The oldstable distribution (lenny) is not affected by these problems. last seen 2020-03-17 modified 2012-01-23 plugin id 57621 published 2012-01-23 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57621 title Debian DSA-2391-1 : phpmyadmin - several vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2011-14.NASL description - update to 3.4.7.1 (fix for bnc#728243) - [security] Fixed possible local file inclusion in XML import (CVE-2011-4107), see PMASA-2011-17 http://www.phpmyadmin.net/home_page/security/PMASA-2011- 17.php last seen 2020-06-01 modified 2020-06-02 plugin id 74519 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74519 title openSUSE Security Update : phpMyAdmin (openSUSE-2011-14) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201201-01.NASL description The remote host is affected by the vulnerability described in GLSA-201201-01 (phpMyAdmin: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in phpMyAdmin. Please review the CVE identifiers and phpMyAdmin Security Advisories referenced below for details. Impact : Remote attackers might be able to insert and execute PHP code, include and execute local PHP files, or perform Cross-Site Scripting (XSS) attacks via various vectors. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 57433 published 2012-01-05 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57433 title GLSA-201201-01 : phpMyAdmin: Multiple vulnerabilities
Packetstorm
| data source | https://packetstormsecurity.com/files/download/108681/phpmyadmin33x-lfi.rb.txt |
| id | PACKETSTORM:108681 |
| last seen | 2016-12-05 |
| published | 2012-01-16 |
| reporter | Marco Batista |
| source | https://packetstormsecurity.com/files/108681/phpMyAdmin-3.3.x-3.4.x-Local-File-Inclusion-Via-XXE-Injection.html |
| title | phpMyAdmin 3.3.x / 3.4.x Local File Inclusion Via XXE Injection |
Seebug
bulletinFamily exploit description No description provided by source. id SSV:30020 last seen 2017-11-19 modified 2012-01-16 published 2012-01-16 reporter Root source https://www.seebug.org/vuldb/ssvid-30020 title phpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection bulletinFamily exploit description No description provided by source. id SSV:72495 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-72495 title phpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection
References
- http://osvdb.org/76798
- http://www.securityfocus.com/bid/50497
- http://seclists.org/fulldisclosure/2011/Nov/21
- http://secunia.com/advisories/46447
- http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
- https://bugzilla.redhat.com/show_bug.cgi?id=751112
- http://www.wooyun.org/bugs/wooyun-2010-03185
- http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
- http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:198
- http://securityreason.com/securityalert/8533
- http://www.openwall.com/lists/oss-security/2011/11/03/3
- http://www.openwall.com/lists/oss-security/2011/11/03/5
- http://www.debian.org/security/2012/dsa-2391
- https://exchange.xforce.ibmcloud.com/vulnerabilities/71108