CVE-2011-4107 Information

Feb 14, 2021 cve

Description

The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references aka an XML external entity (XXE) injection attack.

Reference

http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html http://osvdb.org/76798 http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt http://seclists.org/fulldisclosure/2011/Nov/21 http://secunia.com/advisories/46447 http://securityreason.com/securityalert/8533 http://www.debian.org/security/2012/dsa-2391 http://www.mandriva.com/security/advisories?name=MDVSA-2011:198 http://www.openwall.com/lists/oss-security/2011/11/03/3 http://www.openwall.com/lists/oss-security/2011/11/03/5 http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php http://www.securityfocus.com/bid/50497 http://www.wooyun.org/bugs/wooyun-2010-03185 https://bugzilla.redhat.com/show_bug.cgi?id=751112 https://exchange.xforce.ibmcloud.com/vulnerabilities/71108

Share on: