Vulnerabilities > CVE-2011-4107 - XXE vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
low complexity
phpmyadmin
fedoraproject
debian
CWE-611
nessus
exploit available

Summary

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.

Exploit-Db

descriptionphpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection. CVE-2011-4107. Webapps exploit for php platform
idEDB-ID:18371
last seen2016-02-02
modified2012-01-14
published2012-01-14
reporterMarco Batista
sourcehttps://www.exploit-db.com/download/18371/
titlephpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-15841.NASL
    descriptionChanges for 3.4.7.1 (2011-11-10) : - [security] Fixed possible local file inclusion in XML import (CVE-2011-4107) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id56925
    published2011-11-23
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56925
    titleFedora 16 : phpMyAdmin-3.4.7.1-1.fc16 (2011-15841)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2011-15841.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(56925);
      script_version("1.8");
      script_cvs_date("Date: 2019/08/02 13:32:34");
    
      script_cve_id("CVE-2011-4107");
      script_xref(name:"FEDORA", value:"2011-15841");
    
      script_name(english:"Fedora 16 : phpMyAdmin-3.4.7.1-1.fc16 (2011-15841)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Changes for 3.4.7.1 (2011-11-10) :
    
      - [security] Fixed possible local file inclusion in XML
        import (CVE-2011-4107)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.redhat.com/show_bug.cgi?id=753119"
      );
      # https://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?01558bf8"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected phpMyAdmin package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:phpMyAdmin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:16");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2011/11/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/23");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^16([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 16.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC16", reference:"phpMyAdmin-3.4.7.1-1.fc16")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-15846.NASL
    descriptionChanges for 3.4.7.1 (2011-11-10) : - [security] Fixed possible local file inclusion in XML import (CVE-2011-4107) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id56926
    published2011-11-23
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56926
    titleFedora 15 : phpMyAdmin-3.4.7.1-1.fc15 (2011-15846)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2011-15831.NASL
    descriptionChanges for 3.4.7.1 (2011-11-10) : - [security] Fixed possible local file inclusion in XML import (CVE-2011-4107) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id56924
    published2011-11-23
    reporterThis script is Copyright (C) 2011-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/56924
    titleFedora 14 : phpMyAdmin-3.4.7.1-1.fc14 (2011-15831)
  • NASL familyCGI abuses
    NASL idPHPMYADMIN_PMASA_2011_17.NASL
    descriptionAccording to its self-identified version number, the phpMyAdmin install hosted on the remote web server is affected by an information disclosure vulnerability. The vulnerability, which is in the simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.3.x before 3.3.10.5 and 3.4.x before 3.4.7.1, allows remote, authenticated users to read arbitrary files via XML data containing external entity references.
    last seen2020-06-01
    modified2020-06-02
    plugin id59211
    published2012-05-21
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/59211
    titlephpMyAdmin simplexml_load_string() Function Information Disclosure (PMASA-2011-17)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_1F6EE7080D2211E1B5BD14DAE938EC40.NASL
    descriptionJan Lieskovsky reports : Importing a specially crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server).
    last seen2020-06-01
    modified2020-06-02
    plugin id56804
    published2011-11-14
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/56804
    titleFreeBSD : phpmyadmin -- Local file inclusion (1f6ee708-0d22-11e1-b5bd-14dae938ec40)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2391.NASL
    descriptionSeveral vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2011-4107 The XML import plugin allowed a remote attacker to read arbitrary files via XML data containing external entity references. - CVE-2011-1940, CVE-2011-3181 Cross site scripting was possible in the table tracking feature, allowing a remote attacker to inject arbitrary web script or HTML. The oldstable distribution (lenny) is not affected by these problems.
    last seen2020-03-17
    modified2012-01-23
    plugin id57621
    published2012-01-23
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57621
    titleDebian DSA-2391-1 : phpmyadmin - several vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2011-14.NASL
    description - update to 3.4.7.1 (fix for bnc#728243) - [security] Fixed possible local file inclusion in XML import (CVE-2011-4107), see PMASA-2011-17 http://www.phpmyadmin.net/home_page/security/PMASA-2011- 17.php
    last seen2020-06-01
    modified2020-06-02
    plugin id74519
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/74519
    titleopenSUSE Security Update : phpMyAdmin (openSUSE-2011-14)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201201-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201201-01 (phpMyAdmin: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in phpMyAdmin. Please review the CVE identifiers and phpMyAdmin Security Advisories referenced below for details. Impact : Remote attackers might be able to insert and execute PHP code, include and execute local PHP files, or perform Cross-Site Scripting (XSS) attacks via various vectors. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id57433
    published2012-01-05
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57433
    titleGLSA-201201-01 : phpMyAdmin: Multiple vulnerabilities

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/108681/phpmyadmin33x-lfi.rb.txt
idPACKETSTORM:108681
last seen2016-12-05
published2012-01-16
reporterMarco Batista
sourcehttps://packetstormsecurity.com/files/108681/phpMyAdmin-3.3.x-3.4.x-Local-File-Inclusion-Via-XXE-Injection.html
titlephpMyAdmin 3.3.x / 3.4.x Local File Inclusion Via XXE Injection

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:30020
    last seen2017-11-19
    modified2012-01-16
    published2012-01-16
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-30020
    titlephpMyAdmin 3.3.X and 3.4.X - Local File Inclusion via XXE Injection
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:72495
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-72495
    titlephpMyAdmin 3.3.x & 3.4.x - Local File Inclusion via XXE Injection

References