CVE-2013-3238
published 2013-04-26CVE-2013-3238: phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly…
PriorityP353medium6CVSS 2.0
AVNACMAuSCPIPAP
EXPLOIT
EPSS
28.85%
97.9th percentile
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
/e\x00
- →Detect reconnaissance requests to /js/messages.php used by the Metasploit module to fingerprint phpMyAdmin version via the X-Powered-By header and pmaversion JavaScript variable before exploitation. ↗
- →The vulnerability is only exploitable on PHP versions below 5.4.7; check X-Powered-By response headers to identify at-risk servers running PHP < 5.4.7 with phpMyAdmin 3.5.x or 4.0.0-RC1/RC2. ↗
- →Inspect the 'from_prefix' POST parameter for a null byte (\x00) injection — the crafted argument passes /e\x00 to preg_replace() to enable the PREG_REPLACE_EVAL code execution path. ↗
- ·Exploitation requires the attacker to be authenticated to phpMyAdmin; unauthenticated exploitation is blocked by CSRF token protection. ↗
- ·The preg_replace /e modifier RCE vector is only exploitable on PHP versions below 5.4.7; PHP 5.4.7 and above are not vulnerable. ↗
CVSS provenance
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
vendor_debian6.0LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2013-3238: phpmyadmin - phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticat...
vendor_debian·2013·CVSS 6.0
CVE-2013-3238 [MEDIUM] CVE-2013-3238: phpmyadmin - phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticat...
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-6cqw-hv35-68q6: phpMyAdmin 3
ghsa_unreviewed·2022-05-17
CVE-2013-3238 [MEDIUM] GHSA-6cqw-hv35-68q6: phpMyAdmin 3
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature.
No detection rules found.
Exploit-DB
phpMyAdmin - 'preg_replace' (Authenticated) Remote Code Execution (Metasploit)
exploitdb·2013-05-01
CVE-2013-3238 phpMyAdmin - 'preg_replace' (Authenticated) Remote Code Execution (Metasploit)
phpMyAdmin - 'preg_replace' (Authenticated) Remote Code Execution (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'phpMyAdmin Authenticated Remote Code Execution via preg_replace()',
'Description' => %q{
This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's
replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php
This affects versions 3.5.x 5.4.6 are not vulnerable.
},
'Author' =>
[
'Janek "waraxe" Vind', # Discovery
'Ben Campbell ' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '201
Exploit-DB
phpMyAdmin 3.5.8/4.0.0-RC2 - Multiple Vulnerabilities
exploitdb·2013-04-25·CVSS 6.0
CVE-2013-3241 [MEDIUM] phpMyAdmin 3.5.8/4.0.0-RC2 - Multiple Vulnerabilities
phpMyAdmin 3.5.8/4.0.0-RC2 - Multiple Vulnerabilities
---
[waraxe-2013-SA#103] - Multiple Vulnerabilities in phpMyAdmin
Author: Janek Vind "waraxe"
Date: 25. April 2013
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-103.html
Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the World Wide Web. phpMyAdmin supports a wide
range of operations with MySQL.
http://www.phpmyadmin.net/home_page/index.php
###############################################################################
1. Remote code execution via preg_replace() in "libraries/mult_submits.inc.php"
#################################################
Metasploit
phpMyAdmin Authenticated Remote Code Execution via preg_replace()
metasploit
phpMyAdmin Authenticated Remote Code Execution via preg_replace()
phpMyAdmin Authenticated Remote Code Execution via preg_replace()
This module exploits a PREG_REPLACE_EVAL vulnerability in phpMyAdmin's replace_prefix_tbl within libraries/mult_submits.inc.php via db_settings.php This affects versions 3.5.x 5.4.6 are not vulnerable.
Bugzilla
CVE-2013-3238 CVE-2013-3239 phpMyAdmin3 various flaws [epel-5]
bugzilla·2013-04-24·CVSS 6.0
CVE-2013-3238 [MEDIUM] CVE-2013-3238 CVE-2013-3239 phpMyAdmin3 various flaws [epel-5]
CVE-2013-3238 CVE-2013-3239 phpMyAdmin3 various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-5 tracking bug for phpMyAdmin3:
Bugzilla
CVE-2013-3238 phpMyAdmin: remote code execution via preg_replace() (PMASA-2013-2)
bugzilla·2013-04-24·CVSS 6.0
CVE-2013-3238 [MEDIUM] CVE-2013-3238 phpMyAdmin: remote code execution via preg_replace() (PMASA-2013-2)
CVE-2013-3238 phpMyAdmin: remote code execution via preg_replace() (PMASA-2013-2)
In some PHP versions, the preg_replace() function can be tricked into executing arbitrary PHP code on the server. This is done by passing a crafted argument as the regular expression, containing a null byte. phpMyAdmin does not correctly sanitize an argument passed to preg_replace() when using the "Replace table prefix" feature, opening the way to this vulnerability.
This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users to access the required form.
This is fixed via the following commits:
https://github.com/phpmyadmin/phpmyadmin/commit/dedd542cdaf1606ca9aa3f6f8f8adb078d8ad549
https://github.com/phpmyadmin/phpmyadmin/comm
Bugzilla
CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [epel-6]
bugzilla·2013-04-24·CVSS 6.0
CVE-2013-3238 [MEDIUM] CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [epel-6]
CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for phpMyAdmin: se
Bugzilla
CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [fedora-all]
bugzilla·2013-04-24·CVSS 6.0
CVE-2013-3238 [MEDIUM] CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [fedora-all]
CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multipl
http://archives.neohapsis.com/archives/bugtraq/2013-04/0217.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.htmlhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00181.htmlhttp://www.exploit-db.com/exploits/25136http://www.mandriva.com/security/advisories?name=MDVSA-2013:160http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.phphttps://github.com/phpmyadmin/phpmyadmin/commit/dedd542cdaf1606ca9aa3f6f8f8adb078d8ad549https://github.com/phpmyadmin/phpmyadmin/commit/ffa720d90a79c1f33cf4c5a33403d09a67b42a66https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0133http://archives.neohapsis.com/archives/bugtraq/2013-04/0217.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.htmlhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00181.htmlhttp://www.exploit-db.com/exploits/25136http://www.mandriva.com/security/advisories?name=MDVSA-2013:160http://www.phpmyadmin.net/home_page/security/PMASA-2013-2.phphttps://github.com/phpmyadmin/phpmyadmin/commit/dedd542cdaf1606ca9aa3f6f8f8adb078d8ad549https://github.com/phpmyadmin/phpmyadmin/commit/ffa720d90a79c1f33cf4c5a33403d09a67b42a66https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0133
2013-04-26
Published