cbcvebase.
CVE-2019-6799
published 2019-01-26

CVE-2019-6799: An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server…

PriorityP352medium5.9CVSS 3.0
AVNACHPRNUINSUCHINAN
EXPLOIT
EPSS
15.59%
96.4th percentile
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianphpmyadmin< phpmyadmin 4:4.9.1+dfsg1-2 (bookworm)phpmyadmin 4:4.9.1+dfsg1-2 (bookworm)
phpmyadminphpmyadmin>= 0 < 4:4.9.1+dfsg1-24:4.9.1+dfsg1-2
phpmyadminphpmyadmin>= 0 < 4:4.9.1+dfsg1-24:4.9.1+dfsg1-2
phpmyadminphpmyadmin>= 0 < 4:4.9.1+dfsg1-24:4.9.1+dfsg1-2
phpmyadminphpmyadmin>= 0 < 4:4.9.1+dfsg1-24:4.9.1+dfsg1-2
phpmyadminphpmyadmin>= 0 < 4:4.6.6-5ubuntu0.54:4.6.6-5ubuntu0.5
phpmyadminphpmyadmin4.0.0 – 4.8.4
phpmyadminphpmyadmin>= 4.8 < 4.8.54.8.5

Detection & IOCsextracted from sources · hover to see the quote

otherpma_servername
  • Vulnerability is only exploitable when AllowArbitraryServer configuration is set to true in phpMyAdmin, enabling connection to a rogue MySQL server for arbitrary file read.
  • Detection should check for PHP version below 7.3.4, as the bug in PHP that ignores MYSQLI_OPT_LOCAL_INFILE is present in those versions, enabling the attack path.
  • Monitor HTTP response headers for X-Powered-By PHP version disclosure to identify vulnerable PHP versions below 7.3.4.
  • The attack leverages LOAD DATA INFILE via a rogue MySQL server; phpMyAdmin's attempt to block MYSQLI_OPT_LOCAL_INFILE is not honored due to a PHP bug. Monitor for unexpected inbound MySQL connections from phpMyAdmin hosts.
  • When using the 'mysql' extension, mysql.allow_local_infile is enabled by default, creating an additional attack vector. Audit PHP configurations for mysql.allow_local_infile=On on phpMyAdmin hosts.
  • Use DNS interaction (OOB) detection as part of exploit confirmation; the nuclei template checks for dns interactsh_protocol hits during exploitation.
  • Fixed in phpMyAdmin 4.8.5; any instance running below this version with AllowArbitraryServer=true should be treated as vulnerable.
  • ·The vulnerability is only exploitable when AllowArbitraryServer is explicitly set to true in phpMyAdmin's configuration. Instances with the default setting (false) are not affected.
  • ·The PHP configuration directive mysql.allow_local_infile being enabled (default for the 'mysql' extension) is a contributing factor; disabling it mitigates the risk even if AllowArbitraryServer is true.

CVSS provenance

nvdv3.05.9MEDIUMCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
osv6.5MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian5.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.