Vulnerabilities > CVE-2013-3241 - Unspecified vulnerability in PHPmyadmin 4.0.0

CVSS 4.0 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

phpmyadmin

nessus

exploit available

NVD

Published: 2013-04-26

Updated: 2013-11-19

Summary

export.php (aka the export script) in phpMyAdmin 4.x before 4.0.0-rc3 overwrites global variables on the basis of the contents of the POST superglobal array, which allows remote authenticated users to inject values via a crafted request.

Vulnerable Configurations

Part	Description	Count
Application	Phpmyadmin Phpmyadmin Phpmyadmin 4.0.0	1

Exploit-Db

description	phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities. CVE-2013-3238,CVE-2013-3239,CVE-2013-3240,CVE-2013-3241. Webapps exploit for php platform
id	EDB-ID:25003
last seen	2016-02-03
modified	2013-04-25
published	2013-04-25
reporter	waraxe
source	https://www.exploit-db.com/download/25003/
title	phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities

Nessus

NASL family	CGI abuses
NASL id	PHPMYADMIN_PMASA_2013_2.NASL
description	According to its self-identified version number, the phpMyAdmin 3.5.x / 4.0.0 install hosted on the remote web server is earlier than 3.5.8.1 / 4.0.0-rc3 and is, therefore, affected by multiple vulnerabilities: - The
last seen	2020-06-01
modified	2020-06-02
plugin id	66295
published	2013-05-02
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/66295
title	phpMyAdmin 3.5.x < 3.5.8.1 / 4.x < 4.0.0-rc3 Multiple Vulnerabilities (PMASA-2013-2 - PMASA-2013-5
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(66295); script_version("1.7"); script_cvs_date("Date: 2019/11/27"); script_cve_id( "CVE-2013-3238", "CVE-2013-3239", "CVE-2013-3240", "CVE-2013-3241" ); script_bugtraq_id( 59460, 59461, 59462, 59465 ); script_xref(name:"EDB-ID", value:"25003"); script_name(english:"phpMyAdmin 3.5.x < 3.5.8.1 / 4.x < 4.0.0-rc3 Multiple Vulnerabilities (PMASA-2013-2 - PMASA-2013-5"); script_summary(english:"Checks version of phpMyAdmin"); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-identified version number, the phpMyAdmin 3.5.x / 4.0.0 install hosted on the remote web server is earlier than 3.5.8.1 / 4.0.0-rc3 and is, therefore, affected by multiple vulnerabilities: - The 'preg_replace' fails to properly sanitize arguments, which can be used to for arbitrary code execution. (CVE-2013-3238) - A security weakness exists in the way that locally saved databases are handled. It is possible that the 'filename_template' parameter can be used to create a file with double extensions. (CVE-2013-3239) - A flaw exists where the 'what' parameter was not correctly validated, allowing for a local file inclusion. This flaw reportedly affects phpMyAdmin 4.x only. (CVE-2013-3240) - A flaw exists in the 'export.php' script that allows overwrite of global variables, leading to an unauthorized access vulnerability. This flaw reportedly affects phpMyAdmin 4.x only. (CVE-2013-3241)"); script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2013-2/"); script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2013-3/"); script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2013-4/"); script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2013-5/"); script_set_attribute(attribute:"see_also", value:"http://www.waraxe.us/advisory-103.html"); script_set_attribute(attribute:"solution", value: "Either upgrade to phpMyAdmin 3.5.8.1 / 4.0.0-rc3 or later, or apply the patches from the referenced link."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'phpMyAdmin Authenticated Remote Code Execution via preg_replace()'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/24"); script_set_attribute(attribute:"patch_publication_date", value:"2013/04/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/02"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("phpMyAdmin_detect.nasl"); script_require_keys("www/PHP", "www/phpMyAdmin", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); include("webapp_func.inc"); port = get_http_port(default:80, php:TRUE); install = get_install_from_kb(appname:"phpMyAdmin", port:port, exit_on_fail:TRUE); dir = install['dir']; location = build_url(qs:dir, port:port); version = install['ver']; if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, "phpMyAdmin", location); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( version =~ "^3(\.5)?$" \|\| version =~ "^4(\.0)?$" ) exit(1, "The version of phpMyAdmin located at "+ location +" ("+ version +") is not granular enough."); if ( # 3.5.x < 3.5.8.1 version =~ "^3\.5\.[0-7]([^0-9]\|$)" \|\| version =~ "^3\.5\.8($\|\.[^1-9])" \|\| # 4.0.0 < 4.0.0-rc3 version =~ "^4\.0\.0-rc[0-2]([^0-9]\|$)" ) { if (report_verbosity > 0) { report = '\n URL : ' + location + '\n Installed version : ' + version + '\n Fixed version : 3.5.8.1 / 4.0.0-rc3' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_WEB_APP_NOT_AFFECTED, "phpMyAdmin", location, version);

Packetstorm

data source	https://packetstormsecurity.com/files/download/121411/waraxe-2013-SA103.txt
id	PACKETSTORM:121411
last seen	2016-12-05
published	2013-04-25
reporter	Janek Vind aka waraxe
source	https://packetstormsecurity.com/files/121411/phpMyAdmin-3.5.8-4.0.0-RC2-Code-Execution-LFI-Overwrite.html
title	phpMyAdmin 3.5.8 / 4.0.0-RC2 Code Execution / LFI / Overwrite

Seebug

bulletinFamily	exploit
description	BUGTRAQ ID: 59461 CVE(CAN) ID: CVE-2013-3241 phpmyadmin是MySQL数据库的在线管理工具，主要功能包括在线创建数据表、运行SQL语句、搜索查询数据以及导入导出数据等。 phpMyAdmin 4.0.0-rc3之前版本内的export.php根据POST超全局数组的内容覆盖了全局变量，经过身份验证的远程用户通过特制的请求利用此漏洞注入任意值。 Php script "export.php" line 20: ``` ------------------------[ source code start ]-------------------------------- foreach ($_POST as $one_post_param => $one_post_value) { $GLOBALS[$one_post_param] = $one_post_value; } PMA_Util::checkParameters(array('what', 'export_type')); ------------------------[ source code end ]----------------------------------- ``` 可以看到遍历覆盖，， phpMyAdmin < 4.0.0-rc3 厂商补丁： phpMyAdmin ---------- 目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载： http://www.phpmyadmin.net/home_page/security/ https://github.com/phpmyadmin/phpmyadmin/commit/dedd542cdaf1606ca9aa3f6f8f8adb078d8ad549 https://github.com/phpmyadmin/phpmyadmin/commit/ffa720d90a79c1f33cf4c5a33403d09a67b42a66
id	SSV:60770
last seen	2017-11-19
modified	2013-04-28
published	2013-04-28
reporter	Root
title	phpMyAdmin '$GLOBALS' 数组未授权访问漏洞(CVE-2013-3241)

bulletinFamily	exploit
description	No description provided by source.
id	SSV:78670
last seen	2017-11-19
modified	2014-07-01
published	2014-07-01
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-78670
title	phpMyAdmin 3.5.8 and 4.0.0-RC2 - Multiple Vulnerabilities