Vigil@nce: phpMyAdmin, code execution via server_databases.php
September 2008 by Vigil@nce
An attacker with a phpMyAdmin account can use server_databases.php
to execute code on the server.
– Gravity: 2/4
– Consequences: privileged access/rights
– Provenance: user account
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 16/09/2008
– Identifier: VIGILANCE-VUL-8110
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION
The server_databases.php script of phpMyAdmin manages the database
(create, delete). Access to this script is restricted to
authenticated phpMyAdmin users.
The PMA_DBI_get_databases_full() function of the
database_interface.lib.php file returns the sorted database list.
The sorting function is dynamically created with
create_function(), from the value of $sort_by. However, this value
is a parameter of server_databases.php.
An authenticated attacker can therefore execute PHP code, which
can call external code with exec().
CHARACTERISTICS
– Identifiers: BID-31188, CVE-2008-4096, PMASA-2008-7,
VIGILANCE-VUL-8110
– Url: https://vigilance.aql.fr/tree/1/8110