File inclusion and remote code execution attack
A flaw has been discovered where an attacker can include (view and potentially execute) files on the server.
The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages.
An attacker must be authenticated, except in these situations:
We consider this to be severe.
Configuring PHP with a restrictive `open_basedir` can greatly restrict an attacker's ability to view files on the server. Vulnerable systems should not be run with the phpMyAdmin directives $cfg['AllowArbitraryServer'] = true or $cfg['ServerDefault'] = 0
phpMyAdmin 4.8.0 and 4.8.1 are affected.
Upgrade to phpMyAdmin 4.8.2 or newer or apply patch listed below.
Henry Huang, an independent security researcher, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
Assigned CVE ids: CVE-2018-12613
CWE ids: CWE-661
The following commits have been made on the 4.8 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.