phpMyAdmin Remote Code Execution Vulnerability via Static Code Injection in setup.php

A static code injection vulnerability has been identified in phpMyAdmin versions 2.11.x prior to 2.11.9.5 and 3.x prior to 3.1.3.1. This vulnerability allows remote attackers to inject arbitrary PHP code into a configuration file through the setup script, which can then be executed on the server.

Impact

Exploitation of this vulnerability allows for remote code execution on the server, with the injected code executed in the context of the user running phpMyAdmin.

Reproduction

The vulnerability can be reproduced by sending a crafted POST request to the 'setup.php' script. This request must include a form token and the 'save' action, along with the configuration data that contains the injected PHP code. Once the code is injected, it can be executed by accessing the configuration file through a crafted URL.

Remediation

Users are advised to upgrade to phpMyAdmin versions 2.11.9.5 or 3.1.3.1. Instructions for upgrading can be found in the Debian Security Advisory DSA-1824-1.