PhpMyAdmin remote PHP code injection vulnerability _ PHP Tutorial-php Tutorial

Source: Internet
Author: User
PhpMyAdmin remote PHP code injection vulnerability. Involved program: phpMyAdmin description: phpMyAdmin remote PHP code injection vulnerability nbsp; details: phpMyAdmin is a free tool that provides a WWW management interface for MySQL management. PhpMyAdm involves programs:
PhpMyAdmin
Description:
PhpMyAdmin remote PHP code injection vulnerability

Details:
PhpMyAdmin is a free tool that provides a WWW management interface for MySQL management.
PhpMyAdmin has PHP code injection. remote attackers can use this eval () function to execute arbitrary PHP commands.
However, this vulnerability is only useful when the $ cfg ['leftframelight '] variable (config. inc. php file) is set to FALSE.
PhpMyAdmin stores multiple server configurations in the ($ cfg ['servers'] [$ I]) array variable. These configurations are included in config. inc. in the php file, the information includes host, port, user, password, and verification type. However, because $ cfg ['servers'] [$ I] is not initialized, allow remote users to add server configurations through the GET function. for example, you can add configurations by submitting the following request:
Http: // target/phpMyAdmin-2.5.7/left. php? Server = 4 & cfg [Servers] [host] = 202.81.x.x & cfg [Servers] [port] = 8888 & cfg [Servers] [user] = alice ..
The $ eval_string string in the eval () function allows PHP code execution. attackers can add server configurations and submit specially constructed table names, resulting in execution of Malicious PHP code.
Affected systems:
PhpMyAdmin 2.5.7

Attack method:
No valid attack code

Solution:
Currently, the vendor does not provide patches or upgrade programs. we recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.phpmyadmin.net

PhpMyAdmin: phpMyAdmin remote PHP code injection vulnerability nbsp; details: phpMyAdmin is a free tool that provides a WWW management interface for MySQL management. PhpMyAdm...

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.