CVE-2013-3239
published 2013-04-26CVE-2013-3239: phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by…
PriorityP339medium4.6CVSS 2.0
AVNACHAuSCPIPAP
EXPLOIT
EPSS
8.75%
94.5th percentile
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.
Affected
18 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phpmyadmin | < phpmyadmin 4:3.4.11.1-2 (bookworm) | phpmyadmin 4:3.4.11.1-2 (bookworm) |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | >= 0 < 4:3.4.11.1-2 | 4:3.4.11.1-2 |
| phpmyadmin | phpmyadmin | >= 0 < 4:3.4.11.1-2 | 4:3.4.11.1-2 |
| phpmyadmin | phpmyadmin | >= 0 < 4:3.4.11.1-2 | 4:3.4.11.1-2 |
| phpmyadmin | phpmyadmin | >= 0 < 4:3.4.11.1-2 | 4:3.4.11.1-2 |
| phpmyadmin | phpmyadmin | >= 3.5.0 < 3.5.8.1 | 3.5.8.1 |
CVSS provenance
nvdv2.04.6MEDIUMAV:N/AC:H/Au:S/C:P/I:P/A:P
osv4.6MEDIUM
vendor_debian4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2013-3239: phpmyadmin - phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory...
vendor_debian·2013·CVSS 4.6
CVE-2013-3239 [MEDIUM] CVE-2013-3239: phpmyadmin - phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory...
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.
Scope: local
bookworm: resolved (fixed in 4:3.4.11.1-2)
bullseye: resolved (fixed in 4:3.4.11.1-2)
forky: resolved (fixed in 4:3.4.11.1-2)
sid: resolved (fixed in 4:3.4.11.1-2)
trixie: resolved (fixed in 4:3.4.11.1-2)
GHSA
phpMyAdmin Remote Code Execution
ghsa·2022-05-17
CVE-2013-3239 [HIGH] CWE-94 phpMyAdmin Remote Code Execution
phpMyAdmin Remote Code Execution
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.
OSV
phpMyAdmin Remote Code Execution
osv·2022-05-17
CVE-2013-3239 [HIGH] phpMyAdmin Remote Code Execution
phpMyAdmin Remote Code Execution
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.
OSV
CVE-2013-3239: phpMyAdmin 3
osv·2013-04-26·CVSS 4.6
CVE-2013-3239 [MEDIUM] CVE-2013-3239: phpMyAdmin 3
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.
No detection rules found.
Bugzilla
CVE-2013-3238 CVE-2013-3239 phpMyAdmin3 various flaws [epel-5]
bugzilla·2013-04-24·CVSS 6.0
CVE-2013-3238 [MEDIUM] CVE-2013-3238 CVE-2013-3239 phpMyAdmin3 various flaws [epel-5]
CVE-2013-3238 CVE-2013-3239 phpMyAdmin3 various flaws [epel-5]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-5 tracking bug for phpMyAdmin3:
Bugzilla
CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [epel-6]
bugzilla·2013-04-24·CVSS 6.0
CVE-2013-3238 [MEDIUM] CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [epel-6]
CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [epel-6]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
epel-6 tracking bug for phpMyAdmin: se
Bugzilla
CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [fedora-all]
bugzilla·2013-04-24·CVSS 6.0
CVE-2013-3238 [MEDIUM] CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [fedora-all]
CVE-2013-3238 CVE-2013-3239 phpMyAdmin various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please use the bodhi submission link
noted in the next comment(s). This will include the bug IDs of this
tracking bug as well as the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
Bodhi notes field when available.
Please note: this issue affects multipl
Bugzilla
CVE-2013-3239 phpMyAdmin: remote code execution via locally saved SQL dump file multiple extensions (PMASA-2013-3)
bugzilla·2013-04-24·CVSS 4.6
CVE-2013-3239 [MEDIUM] CVE-2013-3239 phpMyAdmin: remote code execution via locally saved SQL dump file multiple extensions (PMASA-2013-3)
CVE-2013-3239 phpMyAdmin: remote code execution via locally saved SQL dump file multiple extensions (PMASA-2013-3)
phpMyAdmin can be configured to save an export file on the web server, via its SaveDir directive. With this in place, it's possible, either via a crafted filename template or a crafted table name, to save a double extension file like foobar.php.sql. In turn, an Apache webserver on which there is no definition for the MIME type "sql" (the default) will treat this saved file as a ".php" script, leading to remote code execution.
This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users to access the required form. Moreover, the SaveDir directive is empty by default, so a default configuration is n
http://archives.neohapsis.com/archives/bugtraq/2013-04/0217.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.htmlhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00181.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:160http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.phphttps://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8ahttps://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0133http://archives.neohapsis.com/archives/bugtraq/2013-04/0217.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.htmlhttp://lists.opensuse.org/opensuse-updates/2013-06/msg00181.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2013:160http://www.phpmyadmin.net/home_page/security/PMASA-2013-3.phphttps://github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48https://github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8ahttps://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0133
2013-04-26
Published