GUnet OpenEclass phpMyAdmin Remote Access Vulnerability

A vulnerability in GUnet OpenEclass version 1.7.3 allows authenticated users to access phpMyAdmin remotely. This version of OpenEclass includes phpMyAdmin 2.10.0.2 by default, which permits remote logins. After uploading a web shell through a file upload vulnerability, an attacker can access the config.php file via phpMyAdmin to retrieve the MySQL password, potentially leading to a complete database compromise.

Impact

Exploitation of this vulnerability allows for unauthorized remote access to phpMyAdmin, where an attacker can upload a shell and access sensitive database credentials, facilitating a full database compromise.

Reproduction

To reproduce this vulnerability, first log into the GUnet OpenEclass platform as a student. Navigate to the 'agenda' module and exploit an error-based SQL injection vulnerability to extract administrator credentials. Once logged in as an admin, access the 'restore_course.php' page to upload a PHP shell disguised as a .php3 file. After uploading, the shell can be accessed through the course's 'work' directory. With the shell uploaded, phpMyAdmin can be accessed via the admin module, allowing the extraction of the MySQL password from the config.php file.