Summary
File inclusion and remote code execution attack
Description
A flaw has been discovered where an attacker can include
(view and potentially execute) files on the server.
The vulnerability comes from a portion of code where
pages are redirected and loaded within phpMyAdmin, and an
improper test for whitelisted pages.
An attacker must be authenticated, except in these
situations:
- $cfg['AllowArbitraryServer'] = true: attacker can
specify any host he/she is already in control of, and
execute arbitrary code on phpMyAdmin
- $cfg['ServerDefault'] = 0: this bypasses the login and
runs the vulnerable code without any authentication
Severity
We consider this to be severe.
Mitigation
factor
Configuring PHP with a restrictive
`open_basedir` can greatly restrict an attacker's ability to
view files on the server. Vulnerable systems should not be
run with the phpMyAdmin directives
$cfg['AllowArbitraryServer'] = true or $cfg['ServerDefault']
= 0