Vulnerabilities > CVE-2019-6799
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls.
Vulnerable Configurations
Nessus
NASL family CGI abuses NASL id PHPMYADMIN_PMASA_4_8_5.NASL description According to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.8.5. It is, therefore, affected by multiple vulnerabilities. - When AllowArbitraryServer configuration set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server last seen 2020-06-01 modified 2020-06-02 plugin id 126705 published 2019-07-16 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126705 title phpMyAdmin 4.0 < 4.8.5 Multiple Vulnerabilities (PMASA-2019-1), (PMASA-2019-2) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(126705); script_version("1.2"); script_cvs_date("Date: 2019/10/18 23:14:14"); script_cve_id("CVE-2019-6798", "CVE-2019-6799"); script_name(english:"phpMyAdmin 4.0 < 4.8.5 Multiple Vulnerabilities (PMASA-2019-1), (PMASA-2019-2)"); script_summary(english:"Checks the version of phpMyAdmin."); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the phpMyAdmin application hosted on the remote web server is 4.0.x prior to 4.8.5. It is, therefore, affected by multiple vulnerabilities. - When AllowArbitraryServer configuration set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access.phpMyadmin attempts to block the use of LOAD DATA INFILE, but due to a bug in PHP, this check is not honored. Additionally, when using the 'mysql' extension, mysql.allow_local_infile is enabled by default. Both of these conditions allow the attack to occur. (CVE-2019-6799) - A vulnerability was reported where a specially crafted username can be used to trigger an SQL injection attack through the designer feature. (CVE-2019-6798) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2019-1/"); script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2019-2/"); script_set_attribute(attribute:"solution", value: "Upgrade to phpMyAdmin version 4.8.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6798"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_cwe_id(89, 661); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/16"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("phpMyAdmin_detect.nasl"); script_require_keys("www/PHP", "installed_sw/phpMyAdmin", "Settings/ParanoidReport"); script_require_ports("Services/www", 80); exit(0); } include('vcf.inc'); include('http.inc'); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_http_port(default:80, php:TRUE); app_info = vcf::get_app_info(app:'phpMyAdmin', port:port, webapp:TRUE); constraints = [ { 'min_version' : '4.0', 'max_version' : '4.8.4', 'fixed_version' : '4.8.5' } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family CGI abuses NASL id PHPMYADMIN_PMASA_2019_1_2.NASL description According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.x prior to 4.8.5. It is, therefore, affected by at least one of the following vulnerabilities: - A SQL injection (SQLi) vulnerability exists in phpMyAdmin due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data (CVE-2019-6798). - An arbitrary file read vulnerability exists in phpMyAdmin when the AllowArbitraryServer configuration setting is set to true. An unauthenticated, remote attacker can exploit this, via a rogue MySQL server, to read arbitrary files and disclose sensitive information (CVE-2019-6799). Note that Nessus has not attempted to exploit these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 123416 published 2019-03-27 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123416 title phpMyAdmin 4.x < 4.8.5 Multiple Vulnerabilities (PMASA-2019-1) (PMASA-2019-2) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(123416); script_version("1.3"); script_cvs_date("Date: 2019/10/30 13:24:46"); script_cve_id("CVE-2019-6798", "CVE-2019-6799"); script_bugtraq_id(106727, 106736); script_name(english:"phpMyAdmin 4.x < 4.8.5 Multiple Vulnerabilities (PMASA-2019-1) (PMASA-2019-2)"); script_summary(english:"Checks the version of phpMyAdmin."); script_set_attribute(attribute:"synopsis", value: "The remote web server hosts a PHP application that is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the phpMyAdmin application hosted on the remote web server is 4.x prior to 4.8.5. It is, therefore, affected by at least one of the following vulnerabilities: - A SQL injection (SQLi) vulnerability exists in phpMyAdmin due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to inject or manipulate SQL queries in the back-end database, resulting in the disclosure or manipulation of arbitrary data (CVE-2019-6798). - An arbitrary file read vulnerability exists in phpMyAdmin when the AllowArbitraryServer configuration setting is set to true. An unauthenticated, remote attacker can exploit this, via a rogue MySQL server, to read arbitrary files and disclose sensitive information (CVE-2019-6799). Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2019-1/"); script_set_attribute(attribute:"see_also", value:"https://www.phpmyadmin.net/security/PMASA-2019-2/"); script_set_attribute(attribute:"solution", value: "Upgrade to phpMyAdmin version 4.8.5 or later. Alternatively, apply the patches referenced in the vendor advisories."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6798"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/22"); script_set_attribute(attribute:"patch_publication_date", value:"2019/01/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/27"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:phpmyadmin:phpmyadmin"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("phpMyAdmin_detect.nasl"); script_require_ports("Services/www", 80); script_require_keys("www/PHP", "installed_sw/phpMyAdmin"); exit(0); } include("http.inc"); include("vcf.inc"); port = get_http_port(default:80, php:TRUE); appname = "phpMyAdmin"; app_info = vcf::get_app_info(app:appname, port:port, webapp:TRUE); constraints = [{"min_version":"4.0", "fixed_version":"4.8.5"}]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-194.NASL description This update for phpMyAdmin to version 4.8.5 fixes the following issues : Security issues fixed : - CVE-2019-6799: Fixed an arbitrary file read vulnerability (boo#1123272) - CVE-2019-6798: Fixed a SQL injection in the designer interface (boo#1123271) Other changes : - Fix rxport to SQL format not available - Fix QR code not shown when adding two-factor authentication to a user account - Fix issue with adding a new user in MySQL 8.0.11 and newer - Fix frozen interface relating to Text_Plain_Sql plugin - Fix missing table level operations tab last seen 2020-05-31 modified 2019-02-19 plugin id 122294 published 2019-02-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122294 title openSUSE Security Update : phpMyAdmin (openSUSE-2019-194) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-194. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(122294); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/26"); script_cve_id("CVE-2019-6798", "CVE-2019-6799"); script_name(english:"openSUSE Security Update : phpMyAdmin (openSUSE-2019-194)"); script_summary(english:"Check for the openSUSE-2019-194 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for phpMyAdmin to version 4.8.5 fixes the following issues : Security issues fixed : - CVE-2019-6799: Fixed an arbitrary file read vulnerability (boo#1123272) - CVE-2019-6798: Fixed a SQL injection in the designer interface (boo#1123271) Other changes : - Fix rxport to SQL format not available - Fix QR code not shown when adding two-factor authentication to a user account - Fix issue with adding a new user in MySQL 8.0.11 and newer - Fix frozen interface relating to Text_Plain_Sql plugin - Fix missing table level operations tab" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1123271" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1123272" ); script_set_attribute( attribute:"solution", value:"Update the affected phpMyAdmin package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:phpMyAdmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/26"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/19"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"phpMyAdmin-4.8.5-lp150.2.15.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "phpMyAdmin"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1692.NASL description An information leak issue was discovered in phpMyAdmin. An attacker can read any file on the server that the web server last seen 2020-06-01 modified 2020-06-02 plugin id 122490 published 2019-02-28 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122490 title Debian DLA-1692-1 : phpmyadmin security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-1692-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(122490); script_version("1.2"); script_cvs_date("Date: 2020/02/07"); script_cve_id("CVE-2019-6799"); script_name(english:"Debian DLA-1692-1 : phpmyadmin security update"); script_summary(english:"Checks dpkg output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "An information leak issue was discovered in phpMyAdmin. An attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration. When the AllowArbitraryServer configuration setting is set to false (default), the attacker needs a local MySQL account. When set to true, the attacker can exploit this with the use of a rogue MySQL server. For Debian 8 'Jessie', this problem has been fixed in version 4:4.2.12-2+deb8u5. We recommend that you upgrade your phpmyadmin packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2019/02/msg00039.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/phpmyadmin" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected phpmyadmin package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:phpmyadmin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/26"); script_set_attribute(attribute:"patch_publication_date", value:"2019/02/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/28"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"phpmyadmin", reference:"4:4.2.12-2+deb8u5")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://www.securityfocus.com/bid/106736
- https://lists.debian.org/debian-lts-announce/2019/02/msg00039.html
- https://www.phpmyadmin.net/security/PMASA-2019-1/
- http://www.securityfocus.com/bid/106736
- https://www.phpmyadmin.net/security/PMASA-2019-1/
- https://lists.debian.org/debian-lts-announce/2019/02/msg00039.html