CVE-2011-2505
published 2011-07-14CVE-2011-2505: libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to…
PriorityP274medium6.4CVSS 2.0
AVNACLAuNCNIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.88%
95.8th percentile
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."
Affected
48 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phpmyadmin | < phpmyadmin 4:3.4.3.1-1 (bookworm) | phpmyadmin 4:3.4.3.1-1 (bookworm) |
| debian | phpmyadmin | < phpmyadmin 4:3.4.3.2-1 (bookworm) | phpmyadmin 4:3.4.3.2-1 (bookworm) |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect HTTP requests targeting the SESSION superglobal via query string parameters containing '_SESSION[' in the URL, characteristic of the remote variable manipulation attack vector. ↗
- →Monitor GET requests to phpMyAdmin containing '_SESSION[ConfigFile][Servers]' in the query string, which is the specific injection pattern used by the exploit. ↗
- →Alert on POST requests to /setup/config.php with 'submit_save=Save' following a suspicious _SESSION injection request, indicating the exploit's file-write stage. ↗
- →Detect GET requests to /config/config.inc.php with an 'eval' parameter, which is the code execution trigger after successful injection. ↗
- →Flag presence or access to the /config/ directory under phpMyAdmin, as the exploit requires this directory to be writable to save the injected configuration file. ↗
- →Detect use of 'session_to_unset' parameter in phpMyAdmin query strings, which is part of the exploit's SESSION poisoning request. ↗
- ·The exploit also requires the /config/ directory to exist and be web-server writable; absence of this directory prevents the file-write stage of the attack. ↗
- ·Affected versions are phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1; versions at or above these thresholds are patched. ↗
CVSS provenance
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
osv6.4MEDIUM
vulncheck6.4MEDIUM
vendor_debian6.4LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
phpMyAdmin remote variable manipulation
osv·2022-05-14
CVE-2011-2505 [MEDIUM] phpMyAdmin remote variable manipulation
phpMyAdmin remote variable manipulation
`libraries/auth/swekey/swekey.auth.lib.php` in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the `SESSION` superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."
GHSA
phpMyAdmin remote variable manipulation
ghsa·2022-05-14
CVE-2011-2505 [MEDIUM] CWE-94 phpMyAdmin remote variable manipulation
phpMyAdmin remote variable manipulation
`libraries/auth/swekey/swekey.auth.lib.php` in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the `SESSION` superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."
GHSA
GHSA-fmmw-6q24-3wqx: libraries/auth/swekey/swekey
ghsa_unreviewed·2022-05-14·CVSS 6.4
CVE-2011-2719 [MEDIUM] CWE-20 GHSA-fmmw-6q24-3wqx: libraries/auth/swekey/swekey
libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to CVE-2011-2505.
OSV
CVE-2011-2719: libraries/auth/swekey/swekey
osv·2011-08-01·CVSS 6.4
CVE-2011-2719 [MEDIUM] CVE-2011-2719: libraries/auth/swekey/swekey
libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to CVE-2011-2505.
OSV
CVE-2011-2505: libraries/auth/swekey/swekey
osv·2011-07-14·CVSS 6.4
CVE-2011-2505 [MEDIUM] CVE-2011-2505: libraries/auth/swekey/swekey
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."
VulnCheck
phpMyAdmin phpMyAdmin Improper Control of Generation of Code ('Code Injection')
vulncheck·2011·CVSS 6.4
CVE-2011-2505 [MEDIUM] phpMyAdmin phpMyAdmin Improper Control of Generation of Code ('Code Injection')
phpMyAdmin phpMyAdmin Improper Control of Generation of Code ('Code Injection')
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."
Affected: phpMyAdmin phpMyAdmin
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-alert-phpmyadmin-superglobal-session-manipulation-attack-detected/
Debian
CVE-2011-2505: phpmyadmin - libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature i...
vendor_debian·2011·CVSS 6.4
CVE-2011-2505 [MEDIUM] CVE-2011-2505: phpmyadmin - libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature i...
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."
Scope: local
bookworm: resolved (fixed in 4:3.4.3.1-1)
bullseye: resolved (fixed in 4:3.4.3.1-1)
forky: resolved (fixed in 4:3.4.3.1-1)
sid: resolved (fixed in 4:3.4.3.1-1)
trixie: resolved (fixed in 4:3.4.3.1-1)
Debian
CVE-2011-2719: phpmyadmin - libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and ...
vendor_debian·2011·CVSS 6.4
CVE-2011-2719 [MEDIUM] CVE-2011-2719: phpmyadmin - libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and ...
libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to CVE-2011-2505.
Scope: local
bookworm: resolved (fixed in 4:3.4.3.2-1)
bullseye: resolved (fixed in 4:3.4.3.2-1)
forky: resolved (fixed in 4:3.4.3.2-1)
sid: resolved (fixed in 4:3.4.3.2-1)
trixie: resolved (fixed in 4:3.4.3.2-1)
No detection rules found.
Exploit-DB
phpMyAdmin 3.x - Swekey Remote Code Injection
exploitdb·2011-07-09·CVSS 6.4
CVE-2011-2506 [MEDIUM] phpMyAdmin 3.x - Swekey Remote Code Injection
phpMyAdmin 3.x - Swekey Remote Code Injection
---
':'';?>
.
, )\ .
. ,/) , / ) , )\
)\( /)/( (__( /( / ) __ __ ________ __ __
/ \ ( )| |) \ / | |\ /| | | | | | | | (__)
( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____
\| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | |
| |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__|
==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]==============
phpMyAdmin __)|_[_ \__\|____||_|_\|_| |_| |_|
Use responsibly.
':'';
if(php_sapi_name()==='cli'){
if(!isset($argv[1])){
output(" Usage\n ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2");
killme();
}
$pmaurl = $argv[1];
}else{
$pmaurl = iss
Exploit-DB
phpMyAdmin3 (pma3) - Remote Code Execution
exploitdb·2011-07-08·CVSS 6.4
CVE-2011-2506 [MEDIUM] phpMyAdmin3 (pma3) - Remote Code Execution
phpMyAdmin3 (pma3) - Remote Code Execution
---
#!/usr/bin/env python
# coding=utf-8
# pma3 - phpMyAdmin3 remote code execute exploit
# Author: wofeiwo
# Thx Superhei
# Tested on: 3.1.1, 3.2.1, 3.4.3
# CVE: CVE-2011-2505, CVE-2011-2506
# Date: 2011-07-08
# Have fun, DO *NOT* USE IT TO DO BAD THING.
################################################
# Requirements: 1. "config" directory must created&writeable in pma directory.
# 2. session.auto_start = 1 in php.ini configuration.
import os,sys,urllib2,re
def usage(program):
print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
execute exploit"
print "Usage: %s " % program
print "Example: %s http://www.test.com/phpMyAdmin" % program
sys.exit(0)
def main(args):
try:
if len(args) \(.*)\\", urllib2.urlopen(url).read())
if len(result)
http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.htmlhttp://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=7ebd958b2bf59f96fecd5b3322bdbd0b244a7967http://secunia.com/advisories/45139http://secunia.com/advisories/45292http://secunia.com/advisories/45315http://securityreason.com/securityalert/8306http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/http://www.debian.org/security/2011/dsa-2286http://www.exploit-db.com/exploits/17514/http://www.mandriva.com/security/advisories?name=MDVSA-2011:124http://www.openwall.com/lists/oss-security/2011/06/28/2http://www.openwall.com/lists/oss-security/2011/06/28/6http://www.openwall.com/lists/oss-security/2011/06/28/8http://www.openwall.com/lists/oss-security/2011/06/29/11http://www.osvdb.org/73611http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.phphttp://www.securityfocus.com/archive/1/518804/100/0/threadedhttp://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txthttp://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.htmlhttp://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=7ebd958b2bf59f96fecd5b3322bdbd0b244a7967http://secunia.com/advisories/45139http://secunia.com/advisories/45292http://secunia.com/advisories/45315http://securityreason.com/securityalert/8306http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/http://www.debian.org/security/2011/dsa-2286http://www.exploit-db.com/exploits/17514/http://www.mandriva.com/security/advisories?name=MDVSA-2011:124http://www.openwall.com/lists/oss-security/2011/06/28/2http://www.openwall.com/lists/oss-security/2011/06/28/6http://www.openwall.com/lists/oss-security/2011/06/28/8http://www.openwall.com/lists/oss-security/2011/06/29/11http://www.osvdb.org/73611http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.phphttp://www.securityfocus.com/archive/1/518804/100/0/threadedhttp://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
2011-07-14
Published
Exploited in the wild