cbcvebase.
CVE-2012-5159
published 2012-09-25

CVE-2012-5159: phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification…

PriorityP268high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
74.52%
99.4th percentile
phpMyAdmin 3.5.2.2, as distributed by the cdnetworks-kr-1 mirror during an unspecified time frame in 2012, contains an externally introduced modification (Trojan Horse) in server_sync.php, which allows remote attackers to execute arbitrary PHP code via an eval injection attack.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianphpmyadmin
phpmyadminphpmyadmin

Detection & IOCsextracted from sources · hover to see the quote

pathserver_sync.php
pathjs/cross_framing_protection.js
url/server_sync.php
commandPOST /server_sync.php c=<url-encoded-payload>
  • Monitor for HTTP POST requests to server_sync.php with a 'c' parameter, which is the backdoor's eval injection trigger parameter.
  • The exploit sends a POST request with Content-Type: application/x-www-form-urlencoded to server_sync.php; alert on this combination targeting phpMyAdmin installations.
  • Presence of server_sync.php in a phpMyAdmin installation is itself an indicator of compromise — this file is not part of the legitimate phpMyAdmin 3.5.2.2 distribution.
  • The trojanized archive was distributed specifically via the cdnetworks-kr-1 SourceForge mirror; installations sourced from this mirror should be treated as compromised.
  • Also check js/cross_framing_protection.js for unexpected modifications as a secondary indicator of the trojanized distribution.
  • ·The backdoor was only present in phpMyAdmin 3.5.2.2 distributed via the cdnetworks-kr-1 SourceForge mirror during an unspecified window in 2012; official/other mirror distributions of the same version are not affected.
  • ·The default exploit PATH is '/phpMyAdmin'; defenders should also check alternate install paths as the module allows this to be configured.

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_debian7.5LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.