CVE-2011-4107 PoC - phpMyAdmin Local File Inclusion via XXE injection

CVE-2011-4107 PoC - phpMyAdmin Local File Inclusion via XXE injection

An interesting local file inclusion vulnerability has been recently published. An XXE (XML eXternal Entity) injection attack, which affects phpMyAdmin 3.4.x previous to 3.4.7.1 and 3.3.x previous to 3.3.10.5. -

<a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107">CVE-2011-4107</a>

The issue is located in the libraries\import\xml.php file, where the simplexml_load_string() function is called without validating the existence of a reference to an external entity on the file:

$xml = simplexml_load_string($buffer, “SimpleXMLElement”, LIBXML_COMPACT);

phpMyAdmin offers the functionality of importing a database from a user-specified XML file. In vulnerable versions importing a specially-crafted XML file which contains an external XML entity permits an authenticated attacker to retrieve

a local file from the server or network (limited by the privileges of the user running the web server).

on our website.

This module automates the process of local file inclusion in the following way:

Logging in into phpMyAdmin using provided credentials.

Crafting an XML using XXE with the given file to read.

Uploading the XML

Retrieving the file from the server or network (restricted by the privileges of the user running the web server ).

The module has the options shown in the following screenshot:

An example of a successful run of the module is presented in the screenshot below:

Example of successfully reading a file

Defining XML external entity (XXE) injection attack as part of XML injection vulnerability:

XML injection

XML Injection is when is is possible to change the values of an XML document and the XML parser fails to make an appropriate data validation this way making the injection possible.

XML external entity injection attack (XXE)

“External Entity: The set of valid entities can be extended by defining new entities. If the definition of an entity is a URI, the entity is called an external entity. Unless configured to do otherwise, external entities force the XML

parser to access the resource specified by the URI, e.g., a file on the local machine or on a remote systems. This behavior exposes the application to XML eXternal Entity (XXE) attacks, which can be used to perform denial of service of the local system, gain

XXE Example: