( ~~~ )
  ))^ ^((
 ((* - *))
   _) (_
 / '--' \     ^
//(_  _)\\   /_\
\\ )__( //   .'
 (( v  ))   (
   \| /\     '-.
    K(  \       )
    |\\  '-._.-'
Want your PHP application manually audited? Check out Xxor AB's PHP Security Auditing Service

Thursday, July 7, 2011

phpMyAdmin 3.x Multiple Remote Code Executions

This post details a few interesting vulnerabilities I found while relaxing and reading the sourcecode of phpMyAdmin. My original advisory can be found here.

If you would like me to audit your PHP project, check out Xxor's PHP security auditing service. http://www.xxor.se/services/php-security-audit.php

The first vulnerability

File: libraries/auth/swekey/swekey.auth.lib.php
Lines: 266-276
Patched in: and
Type: Variable Manipulation
Assigned CVE id: CVE-2011-2505
PMA Announcement-ID: PMASA-2011-5 if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false) { parse_str($_SERVER['QUERY_STRING']); session_write_close(); session_id($session_to_unset); session_start(); $_SESSION = array(); session_write_close(); session_destroy(); exit; } Notice the call to parse_str on line 268 that passes the query string as it's first argument. It's missing a second argument. This means that what ever parameters and values are present in the query string will be used as variables in the current namespace. But since the code path that executes the call to parse_str inevitably leads to a call to exit there ain't much to exploit. However the session variables persists between requests. Thus giving us full control of the $_SESSION array.

When reading the code, you might believe that the session gets destroyed. But the call to session_write_close on line 269 saves the modified session, and the call to session_id on line 270 switches session. This could be confuseing when testing in a browser because the call to session_start will send a new cookie instructing the browser to forget about the modified session.

From here on there are numerous XSS and SQL injection vulnerabilities open for attack. But we'll focus on three far more serious vulnerabilities.

The second vulnerability

Patched in: and
Type: Remote Static Code Injection
Assigned CVE id: CVE-2011-2506
PMA Announcement-ID: PMASA-2011-6

File: setup/lib/ConfigGenerator.class.php
Lines: 16-78
/** * Creates config file * * @return string */ public static function getConfigFile() { $cf = ConfigFile::getInstance(); $crlf = (isset($_SESSION['eol']) && $_SESSION['eol'] == 'win') ? "\r\n" : "\n"; $c = $cf->getConfig(); // header $ret = 'get('PMA_VERSION') . ' setup script' . $crlf . ' * Date: ' . date(DATE_RFC1123) . $crlf . ' */' . $crlf . $crlf; // servers if ($cf->getServerCount() > 0) { $ret .= "/* Servers configuration */$crlf\$i = 0;" . $crlf . $crlf; foreach ($c['Servers'] as $id => $server) { $ret .= '/* Server: ' . strtr($cf->getServerName($id), '*/', '-') . " [$id] */" . $crlf . '$i++;' . $crlf; foreach ($server as $k => $v) { $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k); $ret .= "\$cfg['Servers'][\$i]['$k'] = " . (is_array($v) && self::_isZeroBasedArray($v) ? self::_exportZeroBasedArray($v, $crlf) : var_export($v, true)) . ';' . $crlf; } $ret .= $crlf; } $ret .= '/* End of servers configuration */' . $crlf . $crlf; } unset($c['Servers']); // other settings $persistKeys = $cf->getPersistKeysMap(); foreach ($c as $k => $v) { $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k); $ret .= self::_getVarExport($k, $v, $crlf); if (isset($persistKeys[$k])) { unset($persistKeys[$k]); } } // keep 1d array keys which are present in $persist_keys (config.values.php) foreach (array_keys($persistKeys) as $k) { if (strpos($k, '/') === false) { $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k); $ret .= self::_getVarExport($k, $cf->getDefault($k), $crlf); } } $ret .= '?>'; return $ret; } On line 42 in this file a comment is created to show some additional information in a config file. We can see that the output of the call to $cf->getServerName($id) is sanitized to prevent user input from closing the comment. However $id, the key of the $c['Servers'] array, is not. So if we could rename a key in this array we could close the comment and inject arbitrary PHP code.
On line 26 the $c array is created from a call to $cf->getConfig().

File: libraries/config/ConfigFile.class.php
Lines: 469-482
/** * Returns configuration array (full, multidimensional format) * * @return array */ public function getConfig() { $c = $_SESSION[$this->id]; foreach ($this->cfgUpdateReadMapping as $map_to => $map_from) { PMA_array_write($map_to, $c, PMA_array_read($map_from, $c)); PMA_array_remove($map_from, $c); } return $c; } Bingo! The $c array is derived from the $_SESSION array hence we could have full control of its contents by utilizing the first vulnerability. Now we can inject arbitrary PHP code that will be saved into the file config/config.inc.php. Then we would just browse to this file and the webserver would executed it.

This vulnerability requires one specific condition. The config directory must have been left in place after the initial configuration. This is something advised against and hence a majority of servers wont be susceptible to this attack. Therefor we'll check out a third and a fourth vulnerability.

The third vulnerability

Patched in: and
Type: Authenticated Remote Code Execution
Assigned CVE id: CVE-2011-2507
PMA Announcement-ID: PMASA-2011-7

File: server_synchronize.php
Line: 466
$trg_db = $_SESSION['trg_db']; Line: 477 $uncommon_tables = $_SESSION['uncommon_tables']; Line: 674 PMA_createTargetTables($src_db, $trg_db, $src_link, $trg_link, $uncommon_tables, $uncommon_table_structure_diff[$s], $uncommon_tables_fields, false); File: libraries/server_synchronize.lib.php
Lines: 613-631 function PMA_createTargetTables($src_db, $trg_db, $src_link, $trg_link, &$uncommon_tables, $table_index, &$uncommon_tables_fields, $display) { if (isset($uncommon_tables[$table_index])) { $fields_result = PMA_DBI_get_fields($src_db, $uncommon_tables[$table_index], $src_link); $fields = array(); foreach ($fields_result as $each_field) { $field_name = $each_field['Field']; $fields[] = $field_name; } $uncommon_tables_fields[$table_index] = $fields; $Create_Query = PMA_DBI_fetch_value("SHOW CREATE TABLE " . PMA_backquote($src_db) . '.' . PMA_backquote($uncommon_tables[$table_index]), 0, 1, $src_link); // Replace the src table name with a `dbname`.`tablename` $Create_Table_Query = preg_replace('/' . PMA_backquote($uncommon_tables[$table_index]) . '/', PMA_backquote($trg_db) . '.' .PMA_backquote($uncommon_tables[$table_index]), $Create_Query, $limit = 1 ); The variables $uncommon_tables[$table_index] and $trg_db are derived from the $_SESSION array. By utilizing the first vulnerability we can inject what ever we want into both the first and the second argument of the function preg_replace on lines 627-631. In a previous post to this blog I've detailed how this condition can be turned into a remote code execution. Basicly we can inject the "e" modifier into the regexp pattern which causes the second argument to be executed as PHP code.

This vulnerability have two major restrictions from an attackers perspective. First the Suhosin patch that completly defends against this type of attack. Second, this piece of code can only be reached if we're authenticated. So to exploit it we would need to have previous knowledge of credentials to an account of the database that phpMyAdmin is set up to manage. Except for some obscure configurations that allows us to bypass this restriction.

Since the Suhosin patch is pretty popular, and for example compiled by default in OpenBSD's PHP packages, it's worth exploring a fourth vulnerability.

The fourth vulnerability

Patched in: and
Type: Path Traversal
Assigned CVE id: CVE-2011-2508
PMA Announcement-ID: PMASA-2011-8

File: libraries/display_tbl.lib.php
Lines: 1291-1299 if ($GLOBALS['cfgRelation']['mimework'] && $GLOBALS['cfg']['BrowseMIME']) { if (isset($GLOBALS['mime_map'][$meta->name]['mimetype']) && isset($GLOBALS['mime_map'][$meta->name]['transformation']) && !empty($GLOBALS['mime_map'][$meta->name]['transformation'])) { $include_file = $GLOBALS['mime_map'][$meta->name]['transformation']; if (file_exists('./libraries/transformations/' . $include_file)) { $transformfunction_name = str_replace('.inc.php', '', $GLOBALS['mime_map'][$meta->name]['transformation']); require_once './libraries/transformations/' . $include_file; This fourth vulnerability is a directory traversal in a call to require_once which can be exploited as a local file inclusion. The variable $GLOBALS['mime_map'][$meta->name]['transformation'] is derived from user input. For example, by setting $GLOBALS['mime_map'][$meta->name]['transformation'] to "../../../../../../etc/passwd" the local passwd-file could show up.

This vulnerability can only be reached if we're authenticated and requires that the transformation feature is setup correctly in phpMyAdmin's configuration storage. However, the $GLOBALS['cfgRelation'] array is derived from the $_SESSION array. Hence the variable $GLOBALS['cfgRelation']['mimework'] used to check this can be modified using the first vulnerability.

File: libraries/display_tbl.lib.php
Lines: 707-710 if ($GLOBALS['cfgRelation']['commwork'] && $GLOBALS['cfgRelation']['mimework'] && $GLOBALS['cfg']['BrowseMIME'] && ! $_SESSION['tmp_user_values']['hide_transformation']) { require_once './libraries/transformations.lib.php'; $GLOBALS['mime_map'] = PMA_getMIME($db, $table); } And the fact that $GLOBALS['mime_map'] is conditionally initialized together with the fact that phpMyAdmin registers all request variables in the global namespace (blacklists some, but not mime_map) allows us to set $GLOBALS['mime_map'][$meta->name]['transformation'] to whatever we want, even when the transformation feature is not setup correctly.


  • If the config folder is left in place, phpMyAdmin is vulnerable.

  • If an attacker has access to database credentials and the Suhosin patch is not installed, phpMyAdmin is vulnerable.

  • If an attacker has access to database credentials and knows how to exploit a local file inclution, phpMyAdmin is vulnerable.


Here are some exploits that have appeard so far, sorted in chronological order.

phpMyAdmin3 (pma3) Remote Code Execution Exploit written in python by wofeiwo exploiting vulnerability 1 and 2.

phpMyAdmin 3.x preg_replace RCE POC written in php by Mango exploiting vulnerability 1 and 3. This isn't really an exploit, just a POC.

phpMyAdmin 3.x Swekey RCI Exploit written in php by Mango exploiting vulnerability 1 and 2.

An extra noteworthy exploit is this one created by M4g exploiting vulnerability 1. He paired the first vulnerability with a rougthly one year old bug in the PHP core. The PHP Session Serializer Session Data Injection Vulnerability found by Stefan Esser.
Or for those of us who can't read Russian, use Google translate.


  1. In The first vulnerability

    If I inject Arbitrate Session via $_SERVER['QUERY_STRING'] why session doesn't reset after session_start()

  2. @Anonymous

    Your original session is modified by:

    Then it switches session with:

    Then the new session is reset using:

    Your original session remains and is modified.

    Don't try to test this issue in a browser. Write a script to handle the cookies and requests yourself.

  3. @Mango
    How to modify that session with $_SERVER['QUERY_STRING']

    is it right way?


    but why i can't modify Session

  4. @Josh


    It cant be done with a browser. Since you need to retain your old cookies when it switches session.

  5. what about the directory traversal bug how is that usable ? an example link would be gladly welcomed.

  6. @Anonymous2

    It's usable as a LFI.

    If the transformation feature in phpMyAdmin is setup correctly, you can insert the path in it's interface. Otherwise you need to write a script to use the first vulnerability.

  7. can you give me an e-mail of yours or something like that to talk to you faster or this comment area should be more then enough ?

  8. Finns du på irc någonstans? Mail är så 1999 :p

  9. This comment has been removed by the author.

  10. @0x6a616d6573

    POC released: http://ha.xxor.se/2011/07/phpmyadmin-3x-pregreplace-rce-poc.html

  11. @Anonymous

    Har lite tight tid vid datorn i veckan. Droppa mig ett mail med en kanal/server så ska jag titta in är ja kan.

  12. It seems it's not the Suhosin patch which will defend against the /e modifier attack, but rather the extension combined with the following, off-by-default option:


    Interesting vulnerabilities. Thanks for sharing.

  13. What is SESSION That can modify $GLOBALS['cfgRelation']

  14. @Anonymous
    The exploit utilizes a null byte injection in preg_replace which Suhosin patches. I don't believe that can be turned off.

    Check out line 98 in
    $this->id = 'ConfigFile' . $GLOBALS['server'];

  15. hello i trying to scan in wild but nothing seems to be vulnerable all pma servers is 2.* instaled on servers anywoane any ideea ? a dork for PMA 3.*?

  16. Awful breath of air may well be one of many main puppy peeves inside interpersonal interaction. This particular full difficulty connected with bad breath of air is a entire bummer as it can not be attended to without annoying anybody concerned.Kyäni

  17. You'll get the quality seo services for your business only from the best seo company in india. Because they have experienced seo experts who deliver you the best results as per your expectations.

  18. There are many mobile game developers in india who claimed that they are the best mobile game developers but you should see the portfolio and customer reviews before hiring a particular mobile app developer.

  19. Get magento ecommerce development india services from the best magento ecomemrce development company who has a team of best magento developers having many years of experience.

  20. Thank you for the providing the platform to share knowledge with each other. Also, if you have any query realted to Esta Price please do visit at esta-official.co.uk

  21. Les autorisations officielles ESTA sont simples et rapides à un prix ESTA abordable. Votre formulaire ESTA pour voyager aux États-Unis est disponible. Partez aux USA avec votre VISA ESTA en main.

  22. Great Post. I can see how much effort you make to write this post. Other than this, if you want to know oil and gas asset integrity then please cenosco.com to know more.

  23. Thanks for sharing the awesome article. Also, if you want to choose the best game companies for your work then I'll strongly suggest you to go for RV Technologies.

  24. Hi,

    Nice Post. Thanks for sharing information about remote code and I appreciate your effort. If you want to buy guest post services at very affordable price.

  25. Thanks for the information. If you want to increase your youtube subscribers you have to visit YTBPALS to have the all the benefits.

  26. This is an informative post and it is very useful and knowledgeable. therefore, I would like to thank you for the efforts you have made in writing this article. Professional Web design services are provided by W3BMINDS- Website designer in Lucknow.
    Web development Company | Web design company

  27. This comment has been removed by the author.

  28. This comment has been removed by the author.

  29. This comment has been removed by the author.

  30. A very cool article, I am extremely glad that I found it. I am a beginner program and your help really helped me, thank you. Also go to my resource where you can buy instagram likes , the resource is very reliable and works quickly, it delivers likes instantly.

  31. Thanks for sharing this informative blog post!

    There is no doubt that CBD is everywhere! So, It is being widely used as the treatment for the stress and anxiety. So, one can buy cbd oil for anxiety online for living a stress free life.

    But one should check the list of all top CBD oil providers.

    Also check: https://cbdlabscorp.blogspot.com/2019/10/hemp-oil-effective-remedy-for-stress.html

  32. This is a topic that is near to my heart... Cheers! Where are your contact details though?KBC Game Show

  33. I would like to thank you for taking me different world while reading those amazing love shayari in english . I am highly impressed by the content of shayari which is really appreicable.

  34. A motivating discussion is definitely worth comment. I believe that you should write more about this issue, it might not be a taboo matter but typically people don't discuss such subjects. To the next! Best wishes!! kbc official winner

  35. If you are a owner and you have a website then you go for Affordable seo services. That’s can be provide you the ranking and also helps to take the organic traffic from the Google.

  36. Hello, i really feel happy when i read this post and get some knowledge to read this post thanks for sharing.
    professional seo sevices company

  37. Very efficiently written information. It will be beneficial to anybody who utilizes it, including me. Keep up the good work. For sure i will check out more posts. This site seems to get a good amount of visitors. free instagram likes

  38. Thanks for sharing this informative blog post!

    There is no deny that most of the people are suffering from the increasing weight problem.

    For this, they need to look for the safe and effective weight loss treatment which includes proper diet, exercise and treatments like Gastri Ball:


  39. Great Article. Thank you for sharing! Really an awesome post for every one.

    IEEE Final Year projects Project Centers in Chennai are consistently sought after. Final Year Students Projects take a shot at them to improve their aptitudes, while specialists like the enjoyment in interfering with innovation. For experts, it's an alternate ball game through and through. Smaller than expected IEEE Final Year project centers ground for all fragments of CSE & IT engineers hoping to assemble. Final Year Project Domains for IT It gives you tips and rules that is progressively critical to consider while choosing any final year project point.

    Spring Framework has already made serious inroads as an integrated technology stack for building user-facing applications. Spring Framework Corporate TRaining the authors explore the idea of using Java in Big Data platforms.
    Specifically, Spring Framework provides various tasks are geared around preparing data for further analysis and visualization. Spring Training in Chennai

  40. Everyone prefer to be refreshed after sometime but due to the work load it won't be possible but it can be possible during the work if you opt strawberry flavored e juice for your consuption.

  41. There is an golden opportunity for all indian students to take bba admission in the top international bba colleges. SOIS provide the distance education and training and you'll get a degree after the completion of the course is affiliated and approved from the various international universities.

  42. Nice Information. Thanks for sharing this Post. Are you looking for web design and logo design for your company or business please contact Subraa your freelance website designer and logo designer in Singapore. Structure your business website and get your logo FREE.

    Click the below links know more the offers:

    Logo Design
    Logo Design Singapore
    Logo Designer Singapore
    Web Designer Singapore
    Digital Marketing Agency in Singapore
    Flyer Design Singapore
    Name Card Design Singapore

  43. Online pharmacy UK could help you in getting your prescribed at your doorstep without stepping out from your home! They will provide you the medicine home delivery at any time of the day.


  44. Thanks for sharing this informative blog post!

    Are you traveling to a place where chances of flu disease are high then for the safer side you should get the flu vaccinations Uk. Get in touch with the experts.

  45. Thanks for sharing this informative blog post!

    Looking for the best creative retouching service for your brand then you should for the topmost brand retouching companies and hire the one having higher number of the positive reviews.

  46. Nice Information. Thanks for sharing this Post. Are you looking for web design and mobile app development for your company or business please contact Calvin Seng your freelance website designer and mobile app developer in Singapore. Structure your business website and get web hosting FREE.

    Click the below links know more the offers:

    App Development
    Online Marketing SEO Singapore
    Branding Design Singapore
    Web Designer Singapore
    Digital Marketing Agency in Singapore
    Web Developer Singapore
    BaZi Branding Singapore

  47. Great and Informative article, Thanks for sharing this valuable information with us. We are also SEO Company in India providing SEO, SMO, SMM, SEM, PPC, ORM, service worldwide.

  48. This is very and excellent post thanks for share. We provide quick service of Home appliance repair Dubai Abu Dhabi and across UAE.

  49. Thanks for sharing the wonderful information. It means a lot to me. If you're looking for wooden frame sunglasses then riglook is the perfect place for you. Please visit website for more information.

  50. Buy premium sex toys online in India for men & women at the best prices on trykartehai.com discreetly with free shipping & CoD.100% Genuine Products!

  51. I must thank you for the efforts you've put in penning this blog. I am hoping to check out the same high-grade content from you in the future as well. In fact, your creative informative writing abilities has motivated me to get my own website now ;)

  52. This is the perfect website for anybody who hopes to find out about this topic. You know so much its almost hard to argue with you (not that I actually will need to…HaHa).info You certainly put a new spin on a subject that's been written about for years. Excellent stuff, just great!

  53. You need to take part in a contest for one of the greatest websites on the internet. I most certainly will recommend this KBC Official website!

  54. Hello there, I do think your blog could be having internet browser compatibility issues. When I take a look at your blog in Safari, it looks fine however, if opening in Internet Explorer, it's got some overlapping issues. I merely wanted to give you a quick heads up! Apart from that, Jio KBC fantastic site!

  55. Cập nhập tin tức nóng hổi về chính trị, không bị kiểm soát bởi chính trị, tổng hợp tin tức, đồng phục:
    Những món ăn giúp trẻ lâu
    Tôi xin quay lưng với chùa
    áo lớp phản quang

  56. We are on of the best san diego seo expert. You can contact us for best seo experts in san diego.


  57. We are one of the best seo company in India. You can contact us for pocket friendly seo services in India.


  58. visit here for new wireless device setup at 123. hp. com. get setp by setp guidance here.

    san diego seo expert

    seo company in india

  59. You can get information about mywifiext setup here. Our experts will guide you very easy steps so that you can setup your new extender by yourself


    mywifiext local



  60. Do you want the best shayari website that will deliver you the best and latest cute shayari in hindi? If yes, then you should go for the best shayari website i.e. https://shayarikapitara.com

  61. Must go for the best UV Printer Supplier for the best UV Printing Technology. PH UV Printer provide you the best flatbed uv printer at affordable prices in India which will provide you the best printing.

  62. This is also a very good post which un careers I really enjoyed reading. evden eve taşımacılık It is not everyday that I have the possibility to see something like this jobs near me

  63. Are you searching for the best digital marketing company in chandigarh? Then why don't you prefer digital expert solution. Yes, it is the best digital marketing company who will provide you the best digital marketing services at affordable prices delivered by the team of professional

  64. Thanks For Sharing, I really happy to find your post, viral your posts on Instagram with free Instagram followers and likes.

    Free Instagram Likes Trial

    Free Instagram Followers

  65. The way you presented the blog is really good. Thanks for sharing with us...

  66. after reading this web site I am very satisfied simply because this site is providing comprehensive knowledge for you to audience.
    Thank you to the perform as well as discuss anything incredibly important in my opinion. We loose time waiting for your next article writing in addition to I beg one to get back to pay a visit to our website in
    AWS training in chennai | AWS training in anna nagar | AWS training in omr | AWS training in porur | AWS training in tambaram | AWS training in velachery

  67. Nice Post thanks for the information, good information & very helpful for others,Thanks for Fantasctic blog and its to much informatic which i never think ..Keep writing and grwoing your self
    love shayari in english

  68. thanks for sharing this informations.
    Selenium Training in Coimbatore

    Software Testing Course in Coimbatore

    python training institute in coimbatore

    data science training in coimbatore

    android training institutes in coimbatore

    ios training in coimbatore

    aws training in coimbatore

  69. Buy the best and affordable uv printer in India from PH UV Printer. The one and only uv printer supplier in India who will provide you the best and premium quality uv printer in India. If you want to know more about it then you can go for the official website of PH UV Printer.

  70. If you really want to become a social worker then you should lean more about the kricpy khera https://krispykhera.com/ which is the best social worker in chandigarh provide help to the various poor people and give them economical and financial help both. If you want to know more about the vision of women empowerment in india then you can find a blog present over the official website of krispy khera.

  71. i am browsing this website dailly , and get nice facts from here all the time .

  72. AllAssignmentHelp is the best website for delivering the accounting assignment help and homework help services. The assignment expert team will help the students in getting good grades and marks with quality and plagiarism free solutions. AllAssignmentHelp is the best place where you can the solve your all academic needs.
    do my accounting homework
    hire assignment expert
    help with my assignment
    assignment helper
    essay writer online

  73. Wow! Such an amazing and helpful post this is. I really really love it. It's so good and so awesome. I am just amazed. I hope that you continue to do your work like this in the future also.

    Data Science Course

  74. It is perfect time to make some plans for the future and it is time to be happy. I’ve read this post and if I could I desire to suggest you few interesting things or tips. Perhaps you could write next articles referring to this article. I want to read more things about it!

    Data Science Training

  75. After reading your article I was amazed. I know that you explain it very well. And I hope that other readers will also experience how I feel after reading your article.
    Data Science Certification in Bangalore

  76. Students must avail of online assignment help service if they want to hire someone to do my assignment. Grab academic writing services to boost your knowledge as well as marks efficiently. Well if you get time you must read more
    do my assignment for me

  77. Wonderful blog!!! Thanks for sharing this great information with us...