PhpMyAdmin Local File Inclusion Vulnerability (PMASA-2018-4)

phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. A vulnerability has been discovered where an attacker can include (view and potentially execute) files on the server.
CVE-2018-12613 has been assigned to track this vulnerability. The vulnerability affects phpMyAdmin 4.8.0 and 4.8.1. Upon successful exploitation the attacker can leverage a LFI vulnerability to conduct remote code execution on the targeted system.

Vulnerability:

The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for white listed pages.

An attacker must be authenticated, except in these situations:

  • $cfg[‘AllowArbitraryServer’] = true: attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin
  • $cfg[‘ServerDefault’] = 0: this bypasses the login and runs the vulnerable code without any authentication

The vulnerability exists in “/index.php”, which contains $_REQUEST[‘target’];

If target parameter is not import.php or export.php, last limit will be  Core::checkPageValidity($_REQUEST[‘target’]), which is defined in the “\libraries\classes\core.php”.

This white list validation can be bypassed using “%253f” (double encoded ?)

Exploitation:

http://IP-address/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../windows/win.ini
Contents from win.ini file

In order to achieve remote code execution, attacker can write WebShell to the database and then include the database file via LFI.

Webshell at the field value of data table
http://IP-address/phpmyadmin/index.php?a=phpinfo();&target=db_sql.php%253f/../../../../../../xampp/mysql/data/test/hack.frm
Execute phpinfo() via corresponding database file

Mitigation:

Configuring PHP with a restrictive `open_basedir` can greatly restrict an attacker’s ability to view files on the server. Please refer to PMASA-2018-4 for more mitigation/workarounds suggested by vendor. Qualys customers can scan their network with QID:13174 to detect vulnerable targets.

Leave a Reply

Your email address will not be published. Required fields are marked *