Mandriva Linux Security Advisory : phpmyadmin (MDVSA-2013:160)

medium Nessus Plugin ID 66313

Synopsis

The remote Mandriva Linux host is missing a security update.

Description

Updated phpmyadmin package fixes security vulnerabilities :

In some PHP versions, the preg_replace\(\) function can be tricked into executing arbitrary PHP code on the server. This is done by passing a crafted argument as the regular expression, containing a null byte. phpMyAdmin does not correctly sanitize an argument passed to preg_replace\(\) when using the Replace table prefix feature, opening the way to this vulnerability (CVE-2013-3238).

phpMyAdmin can be configured to save an export file on the web server, via its SaveDir directive. With this in place, it's possible, either via a crafted filename template or a crafted table name, to save a double extension file like foobar.php.sql. In turn, an Apache webserver on which there is no definition for the MIME type sql (the default) will treat this saved file as a .php script, leading to remote code execution (CVE-2013-3239).

Solution

Update the affected phpmyadmin package.

Plugin Details

Severity: Medium

ID: 66313

File Name: mandriva_MDVSA-2013-160.nasl

Version: 1.10

Type: local

Published: 5/4/2013

Updated: 1/6/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.0

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:phpmyadmin, cpe:/o:mandriva:business_server:1

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/3/2013

Exploitable With

Core Impact

Metasploit (phpMyAdmin Authenticated Remote Code Execution via preg_replace())

Reference Information

CVE: CVE-2013-3238, CVE-2013-3239

BID: 59460, 59465

MDVSA: 2013:160

MGASA: 2013-0133