CVE-2009-1285

Phpmyadmin - Code Injection

Title source: rule

Description

Static code injection vulnerability in the getConfigFile function in setup/lib/ConfigFile.class.php in phpMyAdmin 3.x before 3.1.3.2 allows remote attackers to inject arbitrary PHP code into configuration files.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Greg Ose, pagvac, egypt, Tenable, g0tmi1k · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/webapp/phpmyadmin_config.rb

View Code ZIP pw:eip

References (8)

[Exploit] http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_3_1_3/phpMyAdmin/setup/lib/ConfigFile.class.php?r1=12248&r2=12301&pathrev=12342

[Patch, Vendor Advisory] http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php

[Patch] http://www.securityfocus.com/bid/34526

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00442.html

[Vendor Advisory] https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00452.html

[Third Party Advisory] http://secunia.com/advisories/34727

[Third Party Advisory] http://secunia.com/advisories/34741

[Third Party Advisory] http://www.vupen.com/english/advisories/2009/1045

Scores

EPSS 0.3606

EPSS Percentile 97.1%

Details

CWE

CWE-94

Status published

Products (8)

phpmyadmin/phpmyadmin 3.0.0

phpmyadmin/phpmyadmin 3.0.1

phpmyadmin/phpmyadmin 3.1.0

phpmyadmin/phpmyadmin 3.1.0.0

phpmyadmin/phpmyadmin 3.1.1 (2 CPE variants)

phpmyadmin/phpmyadmin 3.1.2 (2 CPE variants)

phpmyadmin/phpmyadmin 3.1.3 (3 CPE variants)

phpmyadmin/phpmyadmin 3.1.3.1

Published Apr 16, 2009

Tracked Since Feb 18, 2026