phpMyAdmin 4.4.6 Man-In-the-Middle to API Github

phpMyAdmin 4.4.6 Man-In-the-Middle to API Github (CVE-2015-3903)
Author: Maksymilian Arciemowicz from https://cxsecurity.com
Issue type: CWE-295

--- Description ---
As we can read

CURLOPT_SSL_VERIFYPEER option.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYPEER.html
WARNING: disabling verification of the certificate allows bad guys to man-in-the-middle the communication without you knowing it. Disabling verification makes the communication insecure. Just having encryption on a transfer is not enough as you cannot be sure that you are communicating with the correct end-point.

CURLOPT_SSL_VERIFYHOST option.
http://curl.haxx.se/libcurl/c/CURLOPT_SSL_VERIFYHOST.html
When the verify value is 0, the connection succeeds regardless of the names in the certificate. Use that ability with caution!


--- MItM in libraries/Config.class.php ---

Let's see libraries/Config.class.php file

-------------------------------
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/Config.class.php
		...
        // check if commit exists in Github
        if ($commit !== false
            && isset($_SESSION['PMA_VERSION_REMOTECOMMIT_' . $hash])
        ) {
            $is_remote_commit = $_SESSION['PMA_VERSION_REMOTECOMMIT_' . $hash];
        } else {
            $link = 'https://api.github.com/repos/phpmyadmin/phpmyadmin/git/commits/'
                . $hash;
            $is_found = $this->checkHTTP($link, ! $commit);
      	...     
	           $link = 'https://api.github.com/repos/phpmyadmin/phpmyadmin'
                    . '/git/trees/' . $branch;
                $is_found = $this->checkHTTP($link);
    	...
-------------------------------     
                
where checkHTTP() is vulnerable for MItM attack

https://cwe.mitre.org/data/definitions/295.html

-------------------------------
	...
    function checkHTTP($link, $get_body = false)
    {
        if (! function_exists('curl_init')) {
            return null;
        }
        $ch = curl_init($link);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 0);
        curl_setopt($ch, CURLOPT_HEADER, 1);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); <=============== MItM
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); <=============== MItM
        curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 5);
        curl_setopt($ch, CURLOPT_USERAGENT, 'phpMyAdmin/' . PMA_VERSION);
        curl_setopt($ch, CURLOPT_TIMEOUT, 5);
        if (! defined('TESTSUITE')) {
            session_write_close();
        }
        $data = @curl_exec($ch);
        if (! defined('TESTSUITE')) {
            ini_set('session.use_only_cookies', '0');
            ini_set('session.use_cookies', '0');
            ini_set('session.use_trans_sid', '0');
            ini_set('session.cache_limiter', 'nocache');
            session_start();
        }
        if ($data === false) {
            return null;
        }
        $httpOk = 'HTTP/1.1 200 OK';
        $httpNotFound = 'HTTP/1.1 404 Not Found';
        ...
-------------------------------

Example target URL:
https://api.github.com/repos/phpmyadmin/phpmyadmin/git/trees/master

--- Credit ---
Issue discovered by Maksymilian Arciemowicz from http://cxsecurity.com by using cIFrex (static code analysis tool http://cifrex.org ).

--- Patch ---
http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php