PMASA-2018-4
Announcement-ID: PMASA-2018-4
Date: 2018-06-19
Updated: 2018-06-21
Summary
File inclusion and remote code execution attack
Description
A flaw has been discovered where an attacker can include (view and potentially execute) files on the server.
The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages.
An attacker must be authenticated, except in these situations:
- $cfg['AllowArbitraryServer'] = true: attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin
- $cfg['ServerDefault'] = 0: this bypasses the login and runs the vulnerable code without any authentication
Severity
We consider this to be severe.
Mitigation factor
Configuring PHP with a restrictive `open_basedir` can greatly restrict an attacker's ability to view files on the server. Vulnerable systems should not be run with the phpMyAdmin directives $cfg['AllowArbitraryServer'] = true or $cfg['ServerDefault'] = 0
Affected Versions
phpMyAdmin 4.8.0 and 4.8.1 are affected.
Solution
Upgrade to phpMyAdmin 4.8.2 or newer or apply patch listed below.
References
Henry Huang, an independent security researcher, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Assigned CVE IDs: CVE-2018-12613
CWE IDs: CWE-661
Patches
The following commits have been made on the 4.8 branch to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.