MGASA-2013-0133
Date: | May 2nd, 2013 |
Affected releases: | 2 |
Media: | Core |
Description:
Updated phpmyadmin package fixes security vulnerabilities:
In some PHP versions, the preg_replace() function can be tricked into
executing arbitrary PHP code on the server. This is done by passing a
crafted argument as the regular expression, containing a null byte.
phpMyAdmin does not correctly sanitize an argument passed to preg_replace()
when using the "Replace table prefix" feature, opening the way to this
vulnerability (CVE-2013-3238).
phpMyAdmin can be configured to save an export file on the web server, via
its SaveDir directive. With this in place, it's possible, either via a
crafted filename template or a crafted table name, to save a double
extension file like foobar.php.sql. In turn, an Apache webserver on which
there is no definition for the MIME type "sql" (the default) will treat
this saved file as a ".php" script, leading to remote code execution
(CVE-2013-3239).
Updated Packages:
i586:
phpmyadmin-3.5.8.1-1.mga2.noarch.rpm
x86_64:
phpmyadmin-3.5.8.1-1.mga2.noarch.rpm
SRPMS:
phpmyadmin-3.5.8.1-1.mga2.src.rpm
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3238
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3239
http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.php
http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.php
https://bugs.mageia.org/show_bug.cgi?id=9863