cbcvebase.
CVE-2013-3238
published 2013-04-26

CVE-2013-3238: phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly…

PriorityP353medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
28.85%
97.9th percentile
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin
phpmyadminphpmyadmin

Detection & IOCsextracted from sources · hover to see the quote

pathlibraries/mult_submits.inc.php
pathdb_structure.php
commandfrom_prefix=/e\0
commandquery_type=replace_prefix_tbl
url/js/messages.php
bytes
/e\x00
  • Detect reconnaissance requests to /js/messages.php used by the Metasploit module to fingerprint phpMyAdmin version via the X-Powered-By header and pmaversion JavaScript variable before exploitation.
  • The vulnerability is only exploitable on PHP versions below 5.4.7; check X-Powered-By response headers to identify at-risk servers running PHP < 5.4.7 with phpMyAdmin 3.5.x or 4.0.0-RC1/RC2.
  • Inspect the 'from_prefix' POST parameter for a null byte (\x00) injection — the crafted argument passes /e\x00 to preg_replace() to enable the PREG_REPLACE_EVAL code execution path.
  • ·Exploitation requires the attacker to be authenticated to phpMyAdmin; unauthenticated exploitation is blocked by CSRF token protection.
  • ·The preg_replace /e modifier RCE vector is only exploitable on PHP versions below 5.4.7; PHP 5.4.7 and above are not vulnerable.

CVSS provenance

nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_debian6.0LOW
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.