—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1
Liebe Kolleginnen und Kollegen,
soeben erreichte uns nachfolgende Warnung. Wir geben diese Informationen
unveraendert an Sie weiter.
TYPO3-SA-2011-008 – Mehrere Schwachstellen in phpMyAdmin
In phpMyAdmin sind mehrere Schwachstellen bei der SESSION Behandlung
sowie beim Filtern eines Datei Pfades in MIME-Type kodierten Code. Ein
entfernter Angreifer kann diese Schwachstellen zum Ausfuehren von
Befehlen mit den Rechten von phpMyAdmin oder fuer Directory Traversal
Angriffe ausnutzen.
Betroffen sind die folgenden Software Pakete und Plattformen:
TYPO3-Erweiterung phpMyAdmin vor Version 4.11.2
Alle Systeme auf denen die betroffene Software eingesetzt wird.
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Torsten Voss
– —
Dipl.-Ing.(FH) Torsten Voss (Incident Response Team)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski
Automatische Warnmeldungen https://www.cert.dfn.de/autowarn
TYPO3 Security Bulletin TYPO3-SA-2011-008: Directory Traversal and Code Injection vulnerability in extension phpMyAdmin (phpmyadmin)
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: Version 4.11.1 and below
Vulnerability Type: Directory Traversal, Code Injection
Severity: High
Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:N/A:N/E:ND/RL:OF/RC:C (What’s that?)
References: PMASA-2011-5, PMASA-2011-6, PMASA-2011-7, PMASA-2011-8
Release Date: 06.07.2011
Problem Description:
It was possible to manipulate the PHP session superglobal using some of the Swekey authentication code. Because an unsanitized key from the Servers array is written in a comment of the generated config, an attacker can modify this key by modifying the SESSION superglobal array. This allows the attacker to close the comment and inject code.
Through a possible bug in PHP, a null byte can truncate the pattern string allowing an attacker to inject the /e modifier causing the preg_replace function to execute its second argument as PHP code.
Filtering of a file path in the MIME-type transformation code, which allowed for directory traversal has been fixed.
Solution: An updated version 4.11.2 is available from the TYPO3 extension manager and at typo3.org/extensions/repository/view/phpmyadmin/4.11.2/. Users of the extension are advised to update the extension as soon as possible.
The TYPO3 Security Team requests TYPO3 administrators to consider our advice from TYPO3-SA-2009-015 to either use extension phpMyAdmin only on development servers or to use the phpMyAdmin standalone application on production servers.
This advice is also relevant in context of the TYPO3 Security Team not being informed about this security fix by the extension maintainer. Therefore, the TYPO3 Security Team cannot guarantee to publish advisories along with future security fixes released by the extension maintainer.
General advice: Follow the recommendations that are given in the TYPO3 Security Cookbook. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Credits: Thanks to Andreas Beutel for providing a TYPO3 extension package with an updated phpMyAdmin version.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.16 (GNU/Linux)
iQEcBAEBAgAGBQJOFvh2AAoJEJtyb8U7iGZB3QQH/RYwAo4g3tKASYe8DVPQQJSa
NT/b1hmgtGudij6z5iGrlQE5DZwICx6aKn6AKRiHGxywkYdZfaKC9P36KMkZqeo5
FFwRM0SIBIrTNH3msiXd1n9kWqb2f0wUnWmYkcpEilCMBy5lYBXA3x9HyigC6TN3
ZLJwpNuwe3cno5ec9oOIQ28TOBmSZ/8HPPZXvcmvFaWxFk8JXUNvEMZ1OpA61CFu
9QBt1VFHxANxhjhdpJoB6GpYnlobCXXWq1ZB5Vph9n0QwVDpU5MzHyPnBadXCBRw
mmlYcSGQTnPSXwDPtrCEk5hA82vK2KOLi8OUl2cg9SI8ta2Fo+XYCZTWyg/3g5k=
=biMy
—–END PGP SIGNATURE—–
