CVE-2018-12613
published 2018-06-21CVE-2018-12613: An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The…
PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
98.39%
99.9th percentile
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | phpmyadmin | — | — |
| phpmyadmin | phpmyadmin | >= 4.8 < 4.8.2 | 4.8.2 |
| phpmyadmin | phpmyadmin | >= 4.8.0 < 4.8.2 | 4.8.2 |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://127.0.0.1/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../windows/wininit.ini↗
urlhttp://127.0.0.1/phpmyadmin/index.php?a=phpinfo();&target=db_sql.php%253f/../../../../../../phpStudy/PHPTutorial/MySQL/data/hack/hack.frm↗
urlhttp://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k↗
yara↗
regex: root:.*:0:0:
- →The LFI bypass uses a double URL-encoded question mark (%253f) in the `target` GET parameter to evade the whitelist check in Core::checkPageValidity(). Detect GET requests to /index.php where the `target` parameter contains `db_sql.php%253f` followed by path traversal sequences. ↗
- →The vulnerable code path is `include $_REQUEST['target']` at line 61 of /index.php. Monitor PHP include/require calls sourced from user-controlled `target` request parameters. ↗
- →RCE via LFI is achieved by first injecting PHP code into the MySQL database (as a field value), then including the resulting .frm database file via the LFI. Detect SQL queries inserting PHP tags (e.g., `<?php`) into table columns followed by LFI requests targeting MySQL data directory paths. ↗
- →Alternative RCE path: inject PHP payload into the phpMyAdmin session file via SQL query (`select '<payload>'`), then trigger execution by including the session file at /var/lib/php/sessions/sess_<session_id> through the LFI endpoint. ↗
- →Version fingerprinting: the Metasploit module detects vulnerable versions by matching `PMA_VERSION:"(\d+\.\d+\.\d+)"` in the response body and checking for 4.8.0 or 4.8.1. ↗
- →The Metasploit module posts the exploit payload to /import.php with `sql_query`, `db`, `table`, and `token` POST parameters, then triggers LFI via GET to /index.php with the `target` parameter. Correlate POST to import.php followed by GET to index.php with %253f in the target parameter from the same session. ↗
- →Shodan/FOFA exposure: phpMyAdmin instances can be identified via `http.title:"phpmyadmin"` or response body containing `pma_servername`. ↗
- ·Authentication is normally required to exploit this LFI. However, if `$cfg['AllowArbitraryServer'] = true` is set, an unauthenticated attacker controlling a MySQL server can achieve RCE. If `$cfg['ServerDefault'] = 0`, the login requirement is bypassed entirely. ↗
- ·The session-file-based RCE path depends on the PHP session save path being /var/lib/php/sessions/ (Linux default). On Windows or non-default configurations the data path will differ (e.g., MySQL .frm file path used instead). ↗
- ·The Metasploit module explicitly targets only phpMyAdmin v4.8.0 and v4.8.1; v4.8.2 and later are patched. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck8.8HIGH
vendor_debian8.8LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
phpMyAdmin Improper Authentication
ghsa·2022-05-13
CVE-2018-12613 [HIGH] CWE-287 phpMyAdmin Improper Authentication
phpMyAdmin Improper Authentication
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
OSV
phpMyAdmin Improper Authentication
osv·2022-05-13
CVE-2018-12613 [HIGH] phpMyAdmin Improper Authentication
phpMyAdmin Improper Authentication
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
VulnCheck
phpMyAdmin phpMyAdmin Improper Authentication
vulncheck·2018·CVSS 8.8
CVE-2018-12613 [HIGH] phpMyAdmin phpMyAdmin Improper Authentication
phpMyAdmin phpMyAdmin Improper Authentication
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Affected: phpMyAdmin phpMyAdmin
Required Action: Apply remediations or mitigations per vendor instructions or discon
Debian
CVE-2018-12613: phpmyadmin - An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker c...
vendor_debian·2018·CVSS 8.8
CVE-2018-12613 [HIGH] CVE-2018-12613: phpmyadmin - An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker c...
An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
No detection rules found.
Exploit-DB
phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
exploitdb·2021-10-25·CVSS 8.8
CVE-2018-12613 [HIGH] phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
---
# Exploit Title: phpMyAdmin 4.8.1 - Remote Code Execution (RCE)
# Date: 17/08/2021
# Exploit Author: samguy
# Vulnerability Discovery By: ChaMd5 & Henry Huang
# Vendor Homepage: http://www.phpmyadmin.net
# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz
# Version: 4.8.1
# Tested on: Linux - Debian Buster (PHP 7.3)
# CVE : CVE-2018-12613
#!/usr/bin/env python
import re, requests, sys
# check python major version
if sys.version_info.major == 3:
import html
else:
from six.moves.html_parser import HTMLParser
html = HTMLParser()
if len(sys.argv) ';'''.format(command)
p = {'table':'', 'token': token, 'sql_query': payload }
r = requests.post(url2, cookies = cookies, data = p)
if r.status_code != 200:
pri
Exploit-DB
phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)
exploitdb·2018-07-13
CVE-2018-12613 phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)
phpMyAdmin - (Authenticated) Remote Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'phpMyAdmin Authenticated Remote Code Execution',
'Description' => %q{
phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion,
which can be exploited post-authentication to execute PHP code by
application. The module has been tested with phpMyAdmin v4.8.1.
},
'Author' =>
[
'ChaMd5', # Vulnerability discovery and PoC
'Henry Huang', # Vulnerability discovery and PoC
'Jacob Robles' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'BID', '104532' ],
[ 'CVE', '2018-12613' ],
[ 'CWE', '661' ],
[ 'URL', 'https://www.phpmyadmin.net/secur
Exploit-DB
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)
exploitdb·2018-06-22·CVSS 8.8
CVE-2018-12613 [HIGH] phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (2)
---
# Exploit Title: phpMyAdmin 4.8.1 - Local File Inclusion to Remote Code Execution
# Date: 2018-06-21
# Exploit Author: VulnSpy
# Vendor Homepage: http://www.phpmyadmin.net
# Software Link: https://github.com/phpmyadmin/phpmyadmin/archive/RELEASE_4_8_1.tar.gz
# Version: 4.8.0, 4.8.1
# Tested on: php7 mysql5
# CVE : CVE-2018-12613
1. Run SQL Query : select ''
2. Include the session file :
http://1a23009a9c9e959d9c70932bb9f634eb.vsplate.me/index.php?target=db_sql.php%253f/../../../../../../../../var/lib/php/sessions/sess_11njnj4253qq93vjm9q93nvc7p2lq82k
Exploit-DB
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1)
exploitdb·2018-06-21
CVE-2018-12613 phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1)
phpMyAdmin 4.8.1 - (Authenticated) Local File Inclusion (1)
---
The latest version downloaded from the official website, the file name is phpMyAdmin-4.8.1-all-languages.zip
The problem appears in /index.php
Find 55~63 lines
Line 61 contains include $_REQUEST['target'];
This is obviously LFI precursor, as long as we bypass the 55 to 59 restrictions on the line
Line 57 restricts the target parameter from beginning with index
Line 58 limit target parameter cannot appear within $target_blacklist
Find the definition of $target_blacklist :
In /index.php the first of 50 lines
As long as the target parameter is not import.php or export.php, the last limit is Core::checkPageValidity($_REQUEST['target'])
Find the checkPageValidity method of the Core class :
Defined in the \ libraries \
Metasploit
phpMyAdmin Authenticated Remote Code Execution
metasploit
phpMyAdmin Authenticated Remote Code Execution
phpMyAdmin Authenticated Remote Code Execution
phpMyAdmin v4.8.0 and v4.8.1 are vulnerable to local file inclusion, which can be exploited post-authentication to execute PHP code by application. The module has been tested with phpMyAdmin v4.8.1.
Nuclei
PhpMyAdmin <4.8.2 - Local File Inclusion
nuclei·CVSS 8.8
CVE-2018-12613 [HIGH] PhpMyAdmin <4.8.2 - Local File Inclusion
PhpMyAdmin <4.8.2 - Local File Inclusion
PhpMyAdmin before version 4.8.2 is susceptible to local file inclusion that allows an attacker to include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).
Template:
id: CVE-2018-12613
info:
name: PhpMyAdmin <4.8.2 - Local File Inclusion
author: pikpikcu
severi
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
arXiv
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
arxiv_fulltext·2019-05-29
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
: Leveraging Temporal Word Embeddings to
Understand the Evolution of Cyberattacks
## Abstract
Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them.
In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks.
In this paper we present , a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve.
We test on a dataset of billions of security events collected from the c
Bugzilla
CVE-2018-19968 CVE-2018-19969 CVE-2018-19970 CVE-2018-12613 phpMyAdmin: Multiple security issues fixed in 4.8.4 [epel-all]
bugzilla·2018-12-13·CVSS 8.8
CVE-2018-19968 [HIGH] CVE-2018-19968 CVE-2018-19969 CVE-2018-19970 CVE-2018-12613 phpMyAdmin: Multiple security issues fixed in 4.8.4 [epel-all]
CVE-2018-19968 CVE-2018-19969 CVE-2018-19970 CVE-2018-12613 phpMyAdmin: Multiple security issues fixed in 4.8.4 [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
Bugzilla
CVE-2018-19968 CVE-2018-19969 CVE-2018-19970 CVE-2018-12613 phpMyAdmin: Multiple security issues fixed in 4.8.4
bugzilla·2018-12-13·CVSS 8.8
CVE-2018-19968 [HIGH] CVE-2018-19968 CVE-2018-19969 CVE-2018-19970 CVE-2018-12613 phpMyAdmin: Multiple security issues fixed in 4.8.4
CVE-2018-19968 CVE-2018-19969 CVE-2018-19970 CVE-2018-12613 phpMyAdmin: Multiple security issues fixed in 4.8.4
https://www.phpmyadmin.net/news/2018/12/11/security-fix-phpmyadmin-484-released/
The security fixes involve:
Local file inclusion (https://www.phpmyadmin.net/security/PMASA-2018-6/),
XSRF/CSRF vulnerabilities allowing a specially-crafted URL to perform harmful operations (https://www.phpmyadmin.net/security/PMASA-2018-7/), and
an XSS vulnerability in the navigation tree (https://www.phpmyadmin.net/security/PMASA-2018-8/)
- PMASA-2018-6 (CVE-2018-19968, CWE-661)
https://www.phpmyadmin.net/security/PMASA-2018-6/
Local file inclusion through transformation feature
- PMASA-2018-7 (CVE-2018-19969, CWE-661)
https://www.phpmyadmin.net/security/PMASA-2018-7/
XSRF/CSRF vulnerability i
http://packetstormsecurity.com/files/164623/phpMyAdmin-4.8.1-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/104532https://security.gentoo.org/glsa/201904-16https://www.exploit-db.com/exploits/44924/https://www.exploit-db.com/exploits/44928/https://www.exploit-db.com/exploits/45020/https://www.phpmyadmin.net/security/PMASA-2018-4/http://packetstormsecurity.com/files/164623/phpMyAdmin-4.8.1-Remote-Code-Execution.htmlhttp://www.securityfocus.com/bid/104532https://security.gentoo.org/glsa/201904-16https://www.exploit-db.com/exploits/44924/https://www.exploit-db.com/exploits/44928/https://www.exploit-db.com/exploits/45020/https://www.phpmyadmin.net/security/PMASA-2018-4/
2018-06-21
Published
Exploited in the wild