PhpMyAdmin remote PHP code injection vulnerability. Involved program: phpMyAdmin description: phpMyAdmin remote PHP code injection vulnerability nbsp; details: phpMyAdmin is a free tool that provides a WWW management interface for MySQL management. PhpMyAdm involves programs:
PhpMyAdmin
Description:
PhpMyAdmin remote PHP code injection vulnerability
Details:
PhpMyAdmin is a free tool that provides a WWW management interface for MySQL management.
PhpMyAdmin has PHP code injection. remote attackers can use this eval () function to execute arbitrary PHP commands.
However, this vulnerability is only useful when the $ cfg ['leftframelight '] variable (config. inc. php file) is set to FALSE.
PhpMyAdmin stores multiple server configurations in the ($ cfg ['servers'] [$ I]) array variable. These configurations are included in config. inc. in the php file, the information includes host, port, user, password, and verification type. However, because $ cfg ['servers'] [$ I] is not initialized, allow remote users to add server configurations through the GET function. for example, you can add configurations by submitting the following request:
Http: // target/phpMyAdmin-2.5.7/left. php? Server = 4 & cfg [Servers] [host] = 202.81.x.x & cfg [Servers] [port] = 8888 & cfg [Servers] [user] = alice ..
The $ eval_string string in the eval () function allows PHP code execution. attackers can add server configurations and submit specially constructed table names, resulting in execution of Malicious PHP code.
Affected systems:
PhpMyAdmin 2.5.7
Attack method:
No valid attack code
Solution:
Currently, the vendor does not provide patches or upgrade programs. we recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.phpmyadmin.net
PhpMyAdmin: phpMyAdmin remote PHP code injection vulnerability nbsp; details: phpMyAdmin is a free tool that provides a WWW management interface for MySQL management. PhpMyAdm...