1. CVE-Search
  2. CVE-2011-4107
ID CVE-2011-4107
Summary The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack.
References
Vulnerable Configurations
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.4:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.4:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.6.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.6.0:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.7.0:*:*:*:*:*:*:*
    cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.7.0:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:16:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:15:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:14:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:14:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:5.0:*:*:*:*:*:*:*
CVSS
Base: 4.3 (as of 09-02-2024 - 02:27)
Impact:
Exploitability:
CWE CWE-611
CAPEC
  • XML External Entities Blowup
    This attack takes advantage of the entity replacement property of XML where the value of the replacement is a URI. A well-crafted XML document could have the entity refer to a URI that consumes a large amount of resources to create a denial of service condition. This can cause the system to either freeze, crash, or execute arbitrary code depending on the URI.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:N/A:N
refmap via4
bid 50497
confirm http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
debian DSA-2391
fedora
  • FEDORA-2011-15831
  • FEDORA-2011-15841
  • FEDORA-2011-15846
fulldisc 20111102 PhpMyAdmin Arbitrary File Reading
mandriva MDVSA-2011:198
misc
mlist
  • [oss-security] 20111103 CVE Request -- phpMyAdmin -- Arbitrary local file read flaw by loading XML strings / importing XML files
  • [oss-security] 20111103 Re: CVE Request -- phpMyAdmin -- Arbitrary local file read flaw by loading XML strings / importing XML files
osvdb 76798
secunia 46447
sreason 8533
xf phpmyadmin-xml-info-disclosure(71108)
Last major update 09-02-2024 - 02:27
Published 17-11-2011 - 19:55
Last modified 09-02-2024 - 02:27
Back to Top