phpMyAdmin Direct Remote Code Execution

Type: Direct Remote Code Execution and Local File Inclusion (LFI) and XSSNorman Hippert — Company: — (wildcat at the-wildcat dot de)

  • Reported: 08.07.2011
  • Published: 23.07.2011
  • Updated: 23.07.2011
  • Affected versions: 3.4.0 -
  • Risk: Very High
  • Solution: Update to or newer
  • CVE-ID: CVE-2011-2718


phpMyAdmin is susceptible to a direct remote code execution and another local file inclusion.

The attacker needs access to the database and the CREATE or ALTER TABLE right. Furthermore, the schema export feature has to be enabled.
We consider this to be a very serious security vulnerability for shared hosting systems and similar setups.

In addition, the LFI vulnerability can also easily be turned into remote code execution, for an example check: phpMyAdmin Local File Inclusion.
Need help securing your (web) applications? Write an e-mail to wildcat at the-wildcat dot de or contact me on XING :mrgreen:

POST /phpMyAdmin3/schema_edit.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 177

  • File: phpMyAdmin3/libraries/schema/User_Schema.class.php
  • Line: 567-577
	$obj_schema = eval("new PMA_".ucfirst($export_type)."_Relation_Schema();");
  • File: phpMyAdmin3/schema_export.php
  • Line: 39-48
  • No exploit for this file, but should be fixed too
global  $db,$export_type;
$export_type = isset($export_type) ? $export_type : 'pdf';

$path = PMA_securePath(ucfirst($export_type));
if (!file_exists('./libraries/schema/' . $path . '_Relation_Schema.class.php')) {
    PMA_Export_Relation_Schema::dieSchema($_POST['chpage'],$export_type,__('File doesn't exist'));
$obj_schema = eval("new PMA_".$path."_Relation_Schema();");
phpMyAdmin- Remote Code Execution

For the sake of completness, there is also a XSS vulnerability via export_type parameter.

phpMyAdmin- XSS