Vulnerability
phpMyAdmin is a free PHP-based software tool for managing MySQL over the Network. A vulnerability in phpMyAdmin 4.8.x prior to 4.8.2 was discovered. CVE-2018–12613 was allocated to a file inclusion flaw found in index.php from PMA 4.8.0 and 4.8.1. It is triggered by a validation bypass in the insecure route checking feature Core::checkPageValidity.phpMyAdmin directives such as $cfg[‘AllowArbitraryServer’] = true or $cfg[‘ServerDefault’] = 0 cannot be used on vulnerable applications because An authenticated remote attacker will exploit this flaw to execute arbitrary PHP code on the server by bypassing login requirement without any authentication.
Mitigation / Precaution
- When PHP is configured with a restrictive ‘open_basedir’, an attacker’s right to access files on the server is significantly restricted.
- Maintain the most recent version of PhpMyAdmin.
Written by
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days
