CVE-2022-0813 An attacker can retrieve sensitive information by creating invalid requests in phpMyAdmin 5.1.1 and earlier.

CVE-2022-0813 An attacker can retrieve sensitive information by creating invalid requests in phpMyAdmin 5.1.1 and earlier.

An attacker can create a request with a valid pma_id, but a different lang value, which will cause the server to respond with the content of the lang parameter. This can be used to retrieve potentially sensitive information, such as an administrative password or a list of installed extensions. An attacker can also create a request with a valid pma_id, but a different cookie value, which will cause the server to respond with the content of the cookie section. This can be used to retrieve potentially sensitive information, such as an administrative password or a list of installed extensions. The lang and cookie parameters are also accessible via direct query via the query string. Hence, an attacker can create a request with a valid pma_id, but a different lang value, which will cause the server to respond with the content of the lang parameter. This can be used to retrieve potentially sensitive information, such as an administrative password or a list of installed extensions. An attacker can also create a request with a valid pma_id, but a different cookie value, which will cause the server to respond with the content of the cookie section. This can be used to retrieve potentially sensitive information, such as an administrative password or a list of installed extensions. The lang and cookie parameters are also accessible via direct query via the query string

Overview of the vulnerability

This issue occurs when a phpMyAdmin user is authenticated on the frontend, but is not authenticated on the backend. The frontend only allows login to users who are logged in on the backend. This means that regardless of whether or not your server has been compromised, if you're a phpMyAdmin user, you have administrative access to your database.

Solution

The issue lies in the lang and cookie parameters, which can be accessed via direct query via the query string. As a result, an attacker can create a request with a valid pma_id, but a different lang value, which will cause the server to respond with the content of the lang parameter. This can be used to retrieve potentially sensitive information, such as an administrative password or a list of installed extensions. An attacker can also create a request with a valid pma_id, but a different cookie value, which will cause the server to respond with the content of the cookie section. This can be used to retrieve potentially sensitive information, such as an administrative password or a list of installed extensions. The lang and cookie parameters are also accessible via direct query via the query string. Hence, an attacker can create a request with a valid pma_id, but a different lang value, which will cause the server to respond with the content of the lang parameter. This can be used to retrieve potentially sensitive information, such as an administrative password or a list of installed extensions. An attacker can also create a request with a valid pma_id, but a different cookie value, which will cause the server to respond with the content of the cookie section. This can be used to retrieve potentially sensitive information, such as an administrative password or a list of installed extensions

Information Disclosure

If an attacker has a valid pma_id, he can access information about extensions on the server.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe