Vulnerabilities > CVE-2019-6799

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
high complexity
phpmyadmin
debian
nessus

Summary

An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls.

Vulnerable Configurations

Part Description Count
Application
Phpmyadmin
177
OS
Debian
1

Nessus

  • NASL familyCGI abuses
    NASL idPHPMYADMIN_PMASA_4_8_5.NASL
    descriptionAccording to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.8.5. It is, therefore, affected by multiple vulnerabilities. - When AllowArbitraryServer configuration set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server
    last seen2020-06-01
    modified2020-06-02
    plugin id126705
    published2019-07-16
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126705
    titlephpMyAdmin 4.0 < 4.8.5 Multiple Vulnerabilities (PMASA-2019-1), (PMASA-2019-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126705);
      script_version("1.2");
      script_cvs_date("Date: 2019/10/18 23:14:14");
    
      script_cve_id("CVE-2019-6798", "CVE-2019-6799");
    
      script_name(english:"phpMyAdmin 4.0 < 4.8.5 Multiple Vulnerabilities (PMASA-2019-1), (PMASA-2019-2)");
      script_summary(english:"Checks the version of phpMyAdmin.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server hosts a PHP application that is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to
    4.8.5. It is, therefore, affected by multiple vulnerabilities.
    
      - When AllowArbitraryServer configuration set to true,
        with the use of a rogue MySQL server, an attacker can
        read any file on the server that the web server's user
        can access.phpMyadmin attempts to block the use of LOAD
        DATA INFILE, but due to a bug in PHP, this check is not
        honored. Additionally, when using the 'mysql' extension,
        mysql.allow_local_infile is enabled by default. Both of
        these conditions allow the attack to occur.
        (CVE-2019-6799)
    
      - A vulnerability was reported where a specially crafted
        username can be used to trigger an SQL injection attack
        through the designer feature. (CVE-2019-6798)
    
    Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
    number.");
      script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2019-1/");
      script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2019-2/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to phpMyAdmin version 4.8.5 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6798");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_cwe_id(89, 661);
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/16");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("phpMyAdmin_detect.nasl");
      script_require_keys("www/PHP", "installed_sw/phpMyAdmin", "Settings/ParanoidReport");
      script_require_ports("Services/www", 80);
    
      exit(0);
    }
    
    include('vcf.inc');
    include('http.inc');
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_http_port(default:80, php:TRUE);
    
    app_info = vcf::get_app_info(app:'phpMyAdmin', port:port, webapp:TRUE);
    
    constraints = [
      { 'min_version' : '4.0', 'max_version' : '4.8.4', 'fixed_version' : '4.8.5' }
    ];
    
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familyCGI abuses
    NASL idPHPMYADMIN_PMASA_2019_1_2.NASL
    descriptionAccording to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.x prior to 4.8.5. It is, therefore, affected by at least one of the following vulnerabilities: - A SQL injection (SQLi) vulnerability exists in phpMyAdmin due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data (CVE-2019-6798). - An arbitrary file read vulnerability exists in phpMyAdmin when the AllowArbitraryServer configuration setting is set to true. An unauthenticated, remote attacker can exploit this, via a rogue MySQL server, to read arbitrary files and disclose sensitive information (CVE-2019-6799). Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id123416
    published2019-03-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123416
    titlephpMyAdmin 4.x < 4.8.5 Multiple Vulnerabilities (PMASA-2019-1) (PMASA-2019-2)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(123416);
      script_version("1.3");
      script_cvs_date("Date: 2019/10/30 13:24:46");
    
      script_cve_id("CVE-2019-6798", "CVE-2019-6799");
      script_bugtraq_id(106727, 106736);
    
      script_name(english:"phpMyAdmin 4.x < 4.8.5 Multiple Vulnerabilities (PMASA-2019-1) (PMASA-2019-2)");
      script_summary(english:"Checks the version of phpMyAdmin.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server hosts a PHP application that is affected by
    multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the phpMyAdmin
    application hosted on the remote web server is 4.x prior to
    4.8.5. It is, therefore, affected by at least one of the following vulnerabilities:
    
      - A SQL injection (SQLi) vulnerability exists in phpMyAdmin due to improper validation of user-supplied input.
      An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database,
      resulting in the disclosure or manipulation of arbitrary data (CVE-2019-6798).
    
      - An arbitrary file read vulnerability exists in phpMyAdmin when the AllowArbitraryServer configuration setting is 
      set to true. An unauthenticated, remote attacker can exploit this, via a rogue MySQL server, to read arbitrary files
      and disclose sensitive information (CVE-2019-6799).
    
    Note that Nessus has not attempted to exploit these issues but has
    instead relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2019-1/");
      script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2019-2/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to phpMyAdmin version 4.8.5 or later.
    Alternatively, apply the patches referenced in the vendor advisories.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6798");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/22");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/27");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"CGI abuses");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("phpMyAdmin_detect.nasl");
      script_require_ports("Services/www", 80);
      script_require_keys("www/PHP", "installed_sw/phpMyAdmin");
    
      exit(0);
    }
    include("http.inc");
    include("vcf.inc");
    
    port = get_http_port(default:80, php:TRUE);
    appname = "phpMyAdmin";
    app_info = vcf::get_app_info(app:appname, port:port, webapp:TRUE);
    
    constraints = [{"min_version":"4.0", "fixed_version":"4.8.5"}];
    vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-194.NASL
    descriptionThis update for phpMyAdmin to version 4.8.5 fixes the following issues : Security issues fixed : - CVE-2019-6799: Fixed an arbitrary file read vulnerability (boo#1123272) - CVE-2019-6798: Fixed a SQL injection in the designer interface (boo#1123271) Other changes : - Fix rxport to SQL format not available - Fix QR code not shown when adding two-factor authentication to a user account - Fix issue with adding a new user in MySQL 8.0.11 and newer - Fix frozen interface relating to Text_Plain_Sql plugin - Fix missing table level operations tab
    last seen2020-05-31
    modified2019-02-19
    plugin id122294
    published2019-02-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122294
    titleopenSUSE Security Update : phpMyAdmin (openSUSE-2019-194)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2019-194.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122294);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/26");
    
      script_cve_id("CVE-2019-6798", "CVE-2019-6799");
    
      script_name(english:"openSUSE Security Update : phpMyAdmin (openSUSE-2019-194)");
      script_summary(english:"Check for the openSUSE-2019-194 patch");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "This update for phpMyAdmin to version 4.8.5 fixes the following 
    issues :
    
    Security issues fixed :
    
      - CVE-2019-6799: Fixed an arbitrary file read
        vulnerability (boo#1123272)
    
      - CVE-2019-6798: Fixed a SQL injection in the designer
        interface (boo#1123271)
    
    Other changes :
    
      - Fix rxport to SQL format not available
    
      - Fix QR code not shown when adding two-factor
        authentication to a user account
    
      - Fix issue with adding a new user in MySQL 8.0.11 and
        newer
    
      - Fix frozen interface relating to Text_Plain_Sql plugin
    
      - Fix missing table level operations tab"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1123271"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1123272"
      );
      script_set_attribute(
        attribute:"solution",
        value:"Update the affected phpMyAdmin package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:phpMyAdmin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/23");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE15.0", reference:"phpMyAdmin-4.8.5-lp150.2.15.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1692.NASL
    descriptionAn information leak issue was discovered in phpMyAdmin. An attacker can read any file on the server that the web server
    last seen2020-06-01
    modified2020-06-02
    plugin id122490
    published2019-02-28
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122490
    titleDebian DLA-1692-1 : phpmyadmin security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1692-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122490);
      script_version("1.2");
      script_cvs_date("Date: 2020/02/07");
    
      script_cve_id("CVE-2019-6799");
    
      script_name(english:"Debian DLA-1692-1 : phpmyadmin security update");
      script_summary(english:"Checks dpkg output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An information leak issue was discovered in phpMyAdmin. An attacker
    can read any file on the server that the web server's user can access.
    This is related to the mysql.allow_local_infile PHP configuration.
    When the AllowArbitraryServer configuration setting is set to false
    (default), the attacker needs a local MySQL account. When set to true,
    the attacker can exploit this with the use of a rogue MySQL server.
    
    For Debian 8 'Jessie', this problem has been fixed in version
    4:4.2.12-2+deb8u5.
    
    We recommend that you upgrade your phpmyadmin packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2019/02/msg00039.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/phpmyadmin"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected phpmyadmin package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:phpmyadmin");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/02/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"phpmyadmin", reference:"4:4.2.12-2+deb8u5")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");