#VU42756 Permissions, Privileges, and Access Controls in phpMyAdmin - CVE-2013-4729

Cybersecurity Help s.r.o.

Published: 2013-07-04 | Updated: 2020-08-11

Vulnerability identifier: #VU42756

Vulnerability risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2013-4729

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
phpMyAdmin
Web applications / Remote management & hosting panels

Vendor: phpMyAdmin

Description

The vulnerability allows a remote #AU# to manipulate or delete data.

import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request.

Mitigation
Install update from vendor's website.

Vulnerable software versions

phpMyAdmin: 4.0.0 - 4.0.4

External links
https://www.phpmyadmin.net/home_page/security/PMASA-2013-7.php
https://github.com/phpmyadmin/phpmyadmin/commit/012464268420e53a9cd81cbb4a43988d70393c36

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Permissions, Privileges, and Access Controls in phpMyAdmin