Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2013-2024 and is owned by Tenable, Inc. or an Affiliate thereof.WORDPRESS_PORTABLE_PHPMYADMIN_AUTH_BYPASS.NASL
HistoryJan 25, 2013 - 12:00 a.m.

Portable phpMyAdmin Plugin for WordPress 'wp-pma-mod' Authentication Bypass

2013-01-2500:00:00
This script is Copyright (C) 2013-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
431

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.9

Confidence

Low

EPSS

0.014

Percentile

86.5%

JSON

The Portable phpMyAdmin Plugin for WordPress installed on the remote host is affected by an authentication bypass vulnerability because the /wp-pma-mod/ path fails to properly authorize users. his may allow an attacker to bypass access restrictions and gain access to the administrative console to perform unauthorized actions.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(64245);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/05");

  script_cve_id("CVE-2012-5469");
  script_bugtraq_id(56920);
  script_xref(name:"EDB-ID", value:"23356");

  script_name(english:"Portable phpMyAdmin Plugin for WordPress 'wp-pma-mod' Authentication Bypass");

  script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is affected by an
authentication bypass vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Portable phpMyAdmin Plugin for WordPress installed on the remote
host is affected by an authentication bypass vulnerability because the
/wp-pma-mod/ path fails to properly authorize users. his may allow an
attacker to bypass access restrictions and gain access to the
administrative console to perform unauthorized actions.");
  script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2012/Dec/91");
  script_set_attribute(attribute:"see_also", value:"https://wordpress.org/plugins/portable-phpmyadmin/#changelog");
  script_set_attribute(attribute:"solution", value:
"Upgrade to version 1.3.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");

  script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_nessus", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2012/12/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2012/11/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:wordpress:wordpress");
  script_set_attribute(attribute:"enable_cgi_scanning", value:"true");
  script_end_attributes();

  script_category(ACT_ATTACK);
  script_family(english:"CGI abuses");

  script_copyright(english:"This script is Copyright (C) 2013-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("wordpress_detect.nasl");
  script_require_keys("installed_sw/WordPress", "www/PHP");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");

app = "WordPress";
get_install_count(app_name:app, exit_if_zero:TRUE);

port = get_http_port(default:80, php:TRUE);

install = get_single_install(
  app_name : app,
  port     : port
);

dir = install['path'];
install_url = build_url(port:port, qs:dir);

plugin = 'Portable phpMyAdmin';

# Check KB first
installed = get_kb_item("www/"+port+"/webapp_ext/"+plugin+" under "+dir);

if (!installed)
{
  checks = make_array();
  path = "/wp-content/plugins/";
  checks[path + "portable-phpmyadmin/wp-pma-mod/js/navigation.js"][0] =
    make_list('function PMA_save');

  # Ensure plugin is installed
  installed = check_webapp_ext(
    checks : checks,
    dir    : dir,
    port   : port,
    ext    : plugin
  );
}
if (!installed)
audit(AUDIT_WEB_APP_EXT_NOT_INST, app, install_url, plugin + " plugin");

# Attempt to access phpMyAdmin
exploit = "/wp-content/plugins/portable-phpmyadmin/wp-pma-mod/";
res = http_send_recv3(
    method    : "GET",
    item      : dir + exploit,
    port         : port,
    exit_on_fail : TRUE
);

if (
  "<title>phpMyAdmin" >< res[2] &&
  "<p>phpMyAdmin is more friendly" >< res[2]
)
{
  out = strstr(res[2], "<title");
  count = 0;
  # Format our output for reporting. Limit to 20 lines
  foreach line (split(out))
  {
    output += line;
    count++;
    if (count >= 20) break;
  }

  if (report_verbosity > 0)
  {
    snip = crap(data:"-", length:30)+' snip '+ crap(data:"-", length:30);
    report =
      '\nNessus was able to verify the issue using the following request :' +
      '\n' +
      '\n' + install_url + exploit +
      '\n';
      if (report_verbosity > 1)
      {
        report +=
          '\nThis produced the following truncated output : ' +
          '\n' + snip +
          '\n' + output + snip +
          '\n';
      }
      security_hole(port:port, extra:report);
    }
    else security_hole(port);
    exit(0);
}
audit(AUDIT_WEB_APP_EXT_NOT_AFFECTED, app, install_url, plugin + " Plugin");

Related

patchstack 1
packetstorm 1
seebug 1
securityvulns 2
exploitdb 1
exploitpack 1
checkpoint_advisories 1
prion 1
zdt 1
wpvulndb 1
cvelist 1
cve 1
myhack58 1
openvas 1
nvd 1
patchstack
patchstack
WordPress Portable phpMyAdmin Plugin - Authentication Bypass
2012-12-13 00:00:00
packetstorm
packetstorm
WordPress portable-phpMyAdmin 1.3.0 Authentication Bypass
2012-12-12 00:00:00
seebug
seebug
Portable phpMyAdmin Wordpress Plugin Authentication Bypass
2014-07-01 00:00:00
securityvulns
securityvulns
&#39;portable-phpMyAdmin &#40;WordPress Plugin&#41;&#39; Authentication Bypass &#40;CVE-2012-5469&#41;
2012-12-18 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2012-12-18 00:00:00
exploitdb
exploitdb
WordPress Plugin Portable phpMyAdmin - Authentication Bypass
2012-12-13 00:00:00
exploitpack
exploitpack
WordPress Plugin Portable phpMyAdmin - Authentication Bypass
2012-12-13 00:00:00
checkpoint_advisories
checkpoint_advisories
WordPress portable-phpMyAdmin Plugin Authentication Bypass (CVE-2012-5469)
2019-04-08 00:00:00
prion
prion
Authentication flaw
2012-12-20 12:02:00
zdt
zdt
Wordpress Plugin Portable phpMyAdmin Authentication Bypass
2012-12-13 00:00:00
wpvulndb
wpvulndb
portable-phpMyAdmin < 1.3.1 - Authentication Bypass
2014-08-01 00:00:00
cvelist
cvelist
CVE-2012-5469
2012-12-20 11:00:00
cve
cve
CVE-2012-5469
2012-12-20 12:02:18
myhack58
myhack58
portable-phpMyAdmin๏ผˆWordPress plugin authentication bypass-vulnerability warning-the black bar safety net
2012-12-21 00:00:00
openvas
openvas
WordPress Portable phpMyAdmin Plugin 'wp-pma-mod' Security Bypass Vulnerability
2012-12-17 00:00:00
nvd
nvd
CVE-2012-5469
2012-12-20 12:02:18

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.9

Confidence

Low

EPSS

0.014

Percentile

86.5%

JSON
Related for WORDPRESS_PORTABLE_PHPMYADMIN_AUTH_BYPASS.NASL
patchstack1packetstorm1seebug1securityvulns2exploitdb1exploitpack1checkpoint_advisories1prion1zdt1wpvulndb1cvelist1cve1myhack581openvas1nvd1