Signature Detail

HTTP: PHP Command Injection

This signature detects Web downloads containing a potentially dangerous PHP script. A malicious site can exploit a known vulnerability in multiple PHP applications and execute arbitrary PHP commands on the victim's server.

Extended Description

phpMyAdmin is prone to a remote PHP code-injection vulnerability. An attacker can exploit this issue to inject and execute arbitrary malicious PHP code in the context of the webserver process. This may facilitate a compromise of the application and the underlying system; other attacks are also possible. Versions prior to phpMyAdmin 2.11.9.5 and 3.1.3.1 are vulnerable.

Affected Products

• Debian linux 4.0
• Debian linux 4.0 Alpha
• Debian linux 4.0 Amd64
• Debian linux 4.0 Arm
• Debian linux 4.0 Armel
• Debian linux 4.0 Hppa
• Debian linux 4.0 Ia-32
• Debian linux 4.0 Ia-64
• Debian linux 4.0 M68k
• Debian linux 4.0 Mips
• Debian linux 4.0 Mipsel
• Debian linux 4.0 Powerpc
• Debian linux 4.0 S/390
• Debian linux 4.0 Sparc
• Debian linux 5.0
• Debian linux 5.0 Alpha
• Debian linux 5.0 Amd64
• Debian linux 5.0 Arm
• Debian linux 5.0 Armel
• Debian linux 5.0 Hppa
• Debian linux 5.0 Ia-32
• Debian linux 5.0 Ia-64
• Debian linux 5.0 M68k
• Debian linux 5.0 Mips
• Debian linux 5.0 Mipsel
• Debian linux 5.0 Powerpc
• Debian linux 5.0 S/390
• Debian linux 5.0 Sparc
• Gentoo linux
• Mandriva corporate_server 4.0
• Mandriva corporate_server 4.0.0 X86 64
• Phpmyadmin phpmyadmin 2.11.1
• Phpmyadmin phpmyadmin 2.11.1.1
• Phpmyadmin phpmyadmin 2.11.1.2
• Phpmyadmin phpmyadmin 2.11.2.1
• Phpmyadmin phpmyadmin 2.11.2.2
• Phpmyadmin phpmyadmin 2.11.4
• Phpmyadmin phpmyadmin 2.11.5
• Phpmyadmin phpmyadmin 2.11.5.1
• Phpmyadmin phpmyadmin 2.11.5.2
• Phpmyadmin phpmyadmin 2.11.7
• Phpmyadmin phpmyadmin 2.11.8
• Phpmyadmin phpmyadmin 2.11.8.1
• Phpmyadmin phpmyadmin 2.11.9
• Phpmyadmin phpmyadmin 2.11.9 .1
• Phpmyadmin phpmyadmin 2.11.9.2
• Phpmyadmin phpmyadmin 2.11.9.3
• Phpmyadmin phpmyadmin 2.11.9 4
• Phpmyadmin phpmyadmin 2.2.3
• Phpmyadmin phpmyadmin 2.2.6
• Phpmyadmin phpmyadmin 2.5.1
• Phpmyadmin phpmyadmin 2.5.4
• Phpmyadmin phpmyadmin 2.5.5
• Phpmyadmin phpmyadmin 2.5.5 Pl1
• Phpmyadmin phpmyadmin 2.5.5 -Rc1
• Phpmyadmin phpmyadmin 2.5.5 -Rc2
• Phpmyadmin phpmyadmin 2.5.6 -Rc1
• Phpmyadmin phpmyadmin 2.5.7
• Phpmyadmin phpmyadmin 2.6.0
• Phpmyadmin phpmyadmin 2.6.0 .0Pl1
• Phpmyadmin phpmyadmin 2.6.0 .0Pl2
• Phpmyadmin phpmyadmin 2.6.0 .0Pl3
• Phpmyadmin phpmyadmin 2.6.1
• Phpmyadmin phpmyadmin 2.6.1 Pl1
• Phpmyadmin phpmyadmin 2.6.1 Pl3
• Phpmyadmin phpmyadmin 2.6.1 -Rc1
• Phpmyadmin phpmyadmin 2.6.2
• Phpmyadmin phpmyadmin 2.6.2 -Rc1
• Phpmyadmin phpmyadmin 2.6.3 -Pl1
• Phpmyadmin phpmyadmin 2.6.4 -Pl1
• Phpmyadmin phpmyadmin 2.6.4 -Pl3
• Phpmyadmin phpmyadmin 2.6.4 -Pl4
• Phpmyadmin phpmyadmin 2.6.4 -Rc1
• Phpmyadmin phpmyadmin 2.7.0
• Phpmyadmin phpmyadmin 2.7.0 .0-Beta1
• Phpmyadmin phpmyadmin 2.7.0 -Pl1
• Phpmyadmin phpmyadmin 2.7.0-Pl2
• Phpmyadmin phpmyadmin 2.8.0 .1
• Phpmyadmin phpmyadmin 2.8.0 .3
• Phpmyadmin phpmyadmin 2.8.0 .4
• Phpmyadmin phpmyadmin 2.8.1
• Phpmyadmin phpmyadmin 2.8.2
• Phpmyadmin phpmyadmin 3.0.0
• Phpmyadmin phpmyadmin 3.0.1
• Phpmyadmin phpmyadmin 3.0.1.1
• Phpmyadmin phpmyadmin 3.1.1 0
• Red_hat fedora 10
• Red_hat fedora 9
• Suse opensuse 10.3
• Suse opensuse 11.0

References

• BugTraq: 30135
• BugTraq: 34236
• BugTraq: 37314
• BugTraq: 98545
• BugTraq: 63411
• BugTraq: 51647
• BugTraq: 55399
• BugTraq: 54292
• BugTraq: 35467
• BugTraq: 57603
• BugTraq: 54464
• BugTraq: 50706
• BugTraq: 50331
• BugTraq: 51576
• CVE: CVE-2010-4279
• CVE: CVE-2013-0803
• CVE: CVE-2013-3629
• CVE: CVE-2009-1151
• CVE: CVE-2017-0372
• CVE: CVE-2016-1209
• CVE: CVE-2015-6967
• CVE: CVE-2017-18048
• CVE: CVE-2017-9101
• CVE: CVE-2017-9080
• CVE: CVE-2014-6446
• CVE: CVE-2014-1691
• CVE: CVE-2011-4828
• CVE: CVE-2011-4075
• CVE: CVE-2012-1153
• CVE: CVE-2017-16524
• CVE: CVE-2008-6825
• CVE: CVE-2011-4825
• CVE: CVE-2013-3591
• CVE: CVE-2009-4140
• CVE: CVE-2013-1412
• CVE: CVE-2014-8791
• URL: http://sourceforge.net/projects/freenas/files/stable/0.7.2/NOTES%200.7.2.5543.txt/download
• URL: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
• URL: http://www.juniper.net/security/auto/vulnerabilities/vuln35467.html
• URL: http://krebsonsecurity.com/tag/phoenix-exploit-kit/
• URL: https://www.pwnmalw.re/Exploit%20Pack/phoenix
• URL: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
• URL: http://xforce.iss.net/xforce/xfdb/71358
• URL: http://itsecuritysolutions.org/2012-07-01-CuteFlow-2.11.2-multiple-security-vulnerabilities/
• URL: http://karmainsecurity.com/exploiting-cve-2014-1691-horde-framework-php-object-injection
• URL: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=737149
• URL: https://github.com/horde/horde/commit/da6afc7e9f4e290f782eca9dbca794f772caccb3
• URL: http://www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html
• URL: https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats
• URL: http://contrib.spip.net/SPIP-3-0-3-2-1-16-et-2-0-21-a-l-etape-303-epate-la
• URL: https://github.com/rapid7/metasploit-framework/pull/4076
• URL: http://karmainsecurity.com/KIS-2014-13
• URL: https://tuleap.net/plugins/tracker/?aid=7601
• URL: http://www.trixbox.org/
• URL: http://www.homelab.it/index.php/2015/04/12/wordpress-n-media-website-contact-form-shell-upload/
• URL: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/pandora_upload_exec.rb
• URL: http://research.g0blin.co.uk/cve-2014-6446/
• URL: http://karmainsecurity.com/KIS-2013-01
• URL: https://www.exploit-db.com/docs/27654.pdf
• URL: https://www.us-cert.gov/ncas/alerts/TA15-313A
• URL: http://traqproject.org/
• URL: http://secunia.com/advisories/49103/
• URL: https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html