File inclusion and remote code execution attack

PMASA-2018-4

Announcement-ID: PMASA-2018-4

Date: 2018-06-19

Updated: 2018-06-21

Summary

File inclusion and remote code execution attack

Description

A flaw has been discovered where an attacker can include (view and potentially execute) files on the server.

The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages.

An attacker must be authenticated, except in these situations:

• $cfg[‘AllowArbitraryServer’] = true: attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin
• $cfg[‘ServerDefault’] = 0: this bypasses the login and runs the vulnerable code without any authentication

Severity

We consider this to be severe.

Mitigation factor

Configuring PHP with a restrictive open_basedir can greatly restrict an attacker’s ability to view files on the server. Vulnerable systems should not be run with the phpMyAdmin directives $cfg[‘AllowArbitraryServer’] = true or $cfg[‘ServerDefault’] = 0

Affected Versions

phpMyAdmin 4.8.0 and 4.8.1 are affected.

Solution

Upgrade to phpMyAdmin 4.8.2 or newer or apply patch listed below.

References

Henry Huang, an independent security researcher, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.

Assigned CVE ids: CVE-2018-12613

CWE ids: CWE-661

Patches

The following commits have been made on the 4.8 branch to fix this issue:

• 7662d02939fb3cf6f0d9ec32ac664401dcfe7490

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.