Login Sign Up

CVE-2019-19617

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in phpMyAdmin allows attackers to execute arbitrary code through improper escaping of Git information. It affects all phpMyAdmin installations before version 4.9.2 that have Git information exposed. Attackers can exploit this to gain control of the server running phpMyAdmin.

💻 Affected Systems

Products:
  • phpMyAdmin
Versions: All versions before 4.9.2
Operating Systems: All operating systems running phpMyAdmin
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists when Git information is exposed, which occurs in standard installations with Git integration.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Phpmyadmin by Phpmyadmin

View all CVEs affecting Phpmyadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete server compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution allowing attackers to execute arbitrary commands on the server, potentially leading to data exfiltration or further system compromise.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to phpMyAdmin instances.

🌐 Internet-Facing: HIGH - phpMyAdmin instances exposed to the internet are directly vulnerable to remote exploitation.
🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but require attacker access to the internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires access to the phpMyAdmin interface but does not require authentication if the instance is publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.2 and later

Vendor Advisory: https://www.phpmyadmin.net/news/2019/11/22/phpmyadmin-492-released/

Restart Required: No

Instructions:

1. Backup your phpMyAdmin configuration and database. 2. Download phpMyAdmin 4.9.2 or later from the official website. 3. Replace the existing phpMyAdmin installation with the new version. 4. Verify the installation is working correctly.

🔧 Temporary Workarounds

Disable Git Information Display

all

Remove or disable the Git revision display functionality to prevent exploitation.

Remove or rename libraries/classes/Display/GitRevision.php
Remove Git-related code from libraries/classes/Footer.php

Restrict Access

all

Implement IP-based access controls to limit who can access phpMyAdmin.

Add 'Require ip 192.168.1.0/24' to Apache .htaccess or equivalent for other web servers

🧯 If You Can't Patch

  • Implement strict network access controls to prevent external access to phpMyAdmin
  • Deploy a web application firewall (WAF) with rules to block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check phpMyAdmin version by viewing the footer on any phpMyAdmin page or checking the version in the source code.

Check Version:

grep -r '\$version' config.inc.php 2>/dev/null || echo 'Check phpMyAdmin interface footer'

Verify Fix Applied:

Verify the version is 4.9.2 or higher and check that Git information is properly escaped in the interface.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to phpMyAdmin endpoints
  • Access attempts to Git-related files in phpMyAdmin directory
  • Unexpected process execution from web server user

Network Indicators:

  • HTTP requests containing Git-related parameters to phpMyAdmin URLs
  • Unusual outbound connections from web server

SIEM Query:

source="web_access.log" AND url="*phpmyadmin*" AND (method="POST" OR params="*git*" OR user_agent="*scanner*")

📊 Metadata

CVE ID: CVE-2019-19617
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: December 6, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON