Bug 828319 (CVE-2013-4729) - VUL-0: CVE-2013-4729: phpMyAdmin: input data file format escalation
Summary: VUL-0: CVE-2013-4729: phpMyAdmin: input data file format escalation
Status: RESOLVED FIXED
Alias: CVE-2013-4729
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-07-05 12:17 UTC by Marcus Meissner
Modified: 2013-12-04 16:57 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2013-07-05 12:17:40 UTC 
ius public, via CVE db

CVE-2013-4729

import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS supe
rglobal array, and consequently change the configuration, via a crafted request.
    
Reference: CONFIRM: https://github.com/phpmyadmin/phpmyadmin/commit/012464268420e53a9cd81cbb4a43988d70393c36
Reference: CONFIRM: http://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php
Comment 1 Swamp Workflow Management 2013-07-05 22:00:30 UTC 
bugbot adjusting priority
Comment 2 Christian Wittmer 2013-07-28 23:33:24 UTC 
Versions prior to 4.0.0 are not affected.
Comment 3 Marcus Meissner 2013-12-04 16:57:46 UTC 
12.3 has 3.5.6

13.1 has 4.0.7

so nothing was affected.