CVE-2012-5159
published 2012-09-25CVE-2012-5159: phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification…
PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
74.52%
99.4th percentile
phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP POST requests to server_sync.php with a 'c' parameter, which is the backdoor's eval injection trigger parameter. ↗
- →The exploit sends a POST request with Content-Type: application/x-www-form-urlencoded to server_sync.php; alert on this combination targeting phpMyAdmin installations. ↗
- →Presence of server_sync.php in a phpMyAdmin installation is itself an indicator of compromise — this file is not part of the legitimate phpMyAdmin 3.5.2.2 distribution. ↗
- →The trojanized archive was distributed specifically via the cdnetworks-kr-1 SourceForge mirror; installations sourced from this mirror should be treated as compromised. ↗
- →Also check js/cross_framing_protection.js for unexpected modifications as a secondary indicator of the trojanized distribution. ↗
- ·The backdoor was only present in phpMyAdmin 3.5.2.2 distributed via the cdnetworks-kr-1 SourceForge mirror during an unspecified window in 2012; official/other mirror distributions of the same version are not affected. ↗
- ·The default exploit PATH is '/phpMyAdmin'; defenders should also check alternate install paths as the module allows this to be configured. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2012-5159: phpmyadmin - phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspe...
vendor_debian·2012·CVSS 7.5
CVE-2012-5159 [HIGH] CVE-2012-5159: phpmyadmin - phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspe...
phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-g39j-4qc9-5rh4: phpMyAdmin 3
ghsa_unreviewed·2022-05-17
CVE-2012-5159 [HIGH] CWE-94 GHSA-g39j-4qc9-5rh4: phpMyAdmin 3
phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack.
No detection rules found.
Exploit-DB
phpMyAdmin 3.5.2.2 - 'server_sync.php' Backdoor (Metasploit)
exploitdb·2012-10-10
CVE-2012-5159 phpMyAdmin 3.5.2.2 - 'server_sync.php' Backdoor (Metasploit)
phpMyAdmin 3.5.2.2 - 'server_sync.php' Backdoor (Metasploit)
---
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'phpMyAdmin 3.5.2.2 server_sync.php Backdoor',
'Description' => %q{
This module exploits an arbitrary code execution backdoor
placed into phpMyAdmin v3.5.2.2 thorugh a compromised SourceForge mirror.
},
'Author' => [ 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' => [ ['URL', 'http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php'] ],
'Privileged' => false,
'Payload' =>
{
'DisableNops' => true,
'Compat' =
Metasploit
phpMyAdmin 3.5.2.2 server_sync.php Backdoor
metasploit
phpMyAdmin 3.5.2.2 server_sync.php Backdoor
phpMyAdmin 3.5.2.2 server_sync.php Backdoor
This module exploits an arbitrary code execution backdoor placed into phpMyAdmin v3.5.2.2 through a compromised SourceForge mirror.
http://seclists.org/oss-sec/2012/q3/562http://sourceforge.net/blog/phpmyadmin-back-door/http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.phphttp://www.securityfocus.com/bid/55672http://seclists.org/oss-sec/2012/q3/562http://sourceforge.net/blog/phpmyadmin-back-door/http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.phphttp://www.securityfocus.com/bid/55672
2012-09-25
Published