Menu

#3081 (ok 2.11.10.1) command execution vulnerability in setup

fixed
nobody
1
2013-06-11
2010-08-15
t.terada
No

Hello,

I found a php command execution vulnerability in scripts/setup.php
included in phpMyAdmin 2.11.10.

The vulnerability I found is similar to CVE-2009-1151
(http://www.securityfocus.com/bid/34236), but a bit different.
It affects the latest version of phpMyAdmin 2.X.

See attached file, which is a sample exploit php program
for phpMyAdmin 2.11.10. (curl library required.)

Attached exploit program creates config/config.inc.php file
on the target machine, which includes the line as below.

$cfg['Servers'][$i]['AllowDeny']['order']['a']['b'][''.phpinfo().''] = '1';

When the config.inc.php is loaded, phpinfo() will be executed.

The cause is line 521 in scripts/setup.php.

520: if ($type == 'string') {
521: $ret .= get_cfg_val($name . "['$k']", $v);
522: } elseif ($type == 'int') {

If the input array is deeply nested, the array key will not be
properly encoded nor checked.

Discussion

  • t.terada

    t.terada - 2010-08-15
     
  • Michal Čihař

    Michal Čihař - 2010-08-20

    Thanks for the report, fix has been commited to our security repository and will be released today or during weekend.

     
  • Michal Čihař

    Michal Čihař - 2010-08-20
    • priority: 5 --> 1
    • summary: command execution vulnerability again in scripts/setup.php --> (ok 2.11.10.1) command execution vulnerability in setup
     
  • Marc Delisle

    Marc Delisle - 2010-08-22
    • status: open --> closed
     
  • Michal Čihař

    Michal Čihař - 2013-06-11
    • Status: closed --> fixed