Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-111AEFCA-2213-11E9-9C8D-6805CA0B3D42: phpMyAdmin -- File disclosure and SQL injection

Back to Search

FreeBSD: VID-111AEFCA-2213-11E9-9C8D-6805CA0B3D42: phpMyAdmin -- File disclosure and SQL injection

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
01/21/2019
Created
03/19/2019
Added
01/28/2019
Modified
01/28/2019

Description

The phpMyAdmin development team reports:

Summary

Arbitrary file read vulnerability

Description

When AllowArbitraryServer configuration set

to true, with the use of a rogue MySQL server,

an attacker can read any file on the server that the web

server's user can access.

phpMyadmin attempts to block the use of LOAD DATA

INFILE, but due to a bug in PHP,

this check is not honored. Additionally, when using the

'mysql' extension, mysql.allow_local_infile

is enabled by default. Both of these conditions allow the

attack to occur.

Severity

We consider this vulnerability to be critical.

Mitigation factor

This attack can be mitigated by setting the

`AllowArbitraryServer` configuration directive to false

(which is the default value).

Affected Versions

phpMyAdmin versions from at least 4.0 through 4.8.4 are

affected

Summary

SQL injection in Designer feature

Description

A vulnerability was reported where a specially crafted

username can be used to trigger an SQL injection attack

through the designer feature.

Severity

We consider this vulnerability to be serious.

Affected Versions

phpMyAdmin versions from 4.5.0 through 4.8.4 are affected

Solution(s)

  • freebsd-upgrade-package-phpmyadmin
  • freebsd-upgrade-package-phpmyadmin-php56
  • freebsd-upgrade-package-phpmyadmin-php70
  • freebsd-upgrade-package-phpmyadmin-php71
  • freebsd-upgrade-package-phpmyadmin-php72

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;