cbcvebase.
CVE-2011-2505
published 2011-07-14

CVE-2011-2505: libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to…

PriorityP274medium6.4CVSS 2.0
AVNACLAuNCNIPAP
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
12.88%
95.8th percentile
libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."

Affected

48 ranges· showing 25
VendorProductVersion rangeFixed in
debianphpmyadmin< phpmyadmin 4:3.4.3.1-1 (bookworm)phpmyadmin 4:3.4.3.1-1 (bookworm)
debianphpmyadmin< phpmyadmin 4:3.4.3.2-1 (bookworm)phpmyadmin 4:3.4.3.2-1 (bookworm)
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin

Detection & IOCsextracted from sources · hover to see the quote

pathlibraries/auth/swekey/swekey.auth.lib.php
url/?_SESSION[ConfigFile][Servers][*/<code>/*][port]=0&session_to_unset=x&token=<token>
path/setup/config.php
path/config/config.inc.php
cookiephpMyAdmin=<session_value>
hash202cb962ac59075b964b07152d234b70
commandforeach($_GET as $k=>$v)if($k==="eval")eval($v);
commandeval(getenv('HTTP_CODE'));
  • Detect HTTP requests targeting the SESSION superglobal via query string parameters containing '_SESSION[' in the URL, characteristic of the remote variable manipulation attack vector.
  • Monitor GET requests to phpMyAdmin containing '_SESSION[ConfigFile][Servers]' in the query string, which is the specific injection pattern used by the exploit.
  • Alert on POST requests to /setup/config.php with 'submit_save=Save' following a suspicious _SESSION injection request, indicating the exploit's file-write stage.
  • Detect GET requests to /config/config.inc.php with an 'eval' parameter, which is the code execution trigger after successful injection.
  • Flag presence or access to the /config/ directory under phpMyAdmin, as the exploit requires this directory to be writable to save the injected configuration file.
  • Detect use of 'session_to_unset' parameter in phpMyAdmin query strings, which is part of the exploit's SESSION poisoning request.
  • ·The exploit also requires the /config/ directory to exist and be web-server writable; absence of this directory prevents the file-write stage of the attack.
  • ·Affected versions are phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1; versions at or above these thresholds are patched.

CVSS provenance

nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:P
osv6.4MEDIUM
vulncheck6.4MEDIUM
vendor_debian6.4LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.