CVE-2019-6799 in phpMyAdmin
Summary
by MITRE
An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/03/2023
The vulnerability identified as CVE-2019-6799 represents a critical security flaw in phpMyAdmin versions prior to 4.8.5 that stems from improper handling of file access permissions when connecting to MySQL servers. This issue specifically manifests when the AllowArbitraryServer configuration option is enabled, creating a dangerous attack vector that allows remote adversaries to potentially access sensitive server files through a malicious MySQL server connection. The vulnerability operates through a sophisticated chain of exploitation that leverages the interaction between phpMyAdmin's connection handling and underlying MySQL client libraries.
The technical root cause of this vulnerability lies in how phpMyAdmin processes MySQL connections when arbitrary server access is permitted. When AllowArbitraryServer is enabled, the application allows users to connect to any MySQL server, which creates an opportunity for attackers to set up rogue MySQL servers that can manipulate file access behavior. The vulnerability specifically relates to the mysql.allow_local_infile PHP configuration parameter and how phpMyAdmin handles the MYSQLI_OPT_LOCAL_INFILE option. The system inadvertently ignores the MYSQLI_OPT_LOCAL_INFILE calls, which should normally prevent local file inclusion attacks, allowing attackers to bypass security controls that would typically restrict file access during database operations.
This vulnerability creates significant operational impact for systems running vulnerable versions of phpMyAdmin, as it enables attackers to read arbitrary files on the web server where phpMyAdmin is hosted. The attack requires an attacker to have control over a MySQL server that can be connected to through phpMyAdmin, but once successful, the attacker can access any file that the web server process has read permissions for. This could include database configuration files, application source code, user credentials, and other sensitive information that might be stored on the server. The impact extends beyond simple information disclosure, as the ability to read system files could potentially lead to further exploitation or privilege escalation depending on the server configuration and file permissions.
The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-23 (Relative Path Traversal) categories, as it involves improper handling of file paths and access controls during database operations. From an ATT&CK framework perspective, this vulnerability maps to T1083 (File and Directory Discovery) and T1078 (Valid Accounts) as attackers can discover and access files on the system using legitimate database connection mechanisms. The threat model suggests that this vulnerability could be exploited by attackers who have already gained some level of access to a system or who can manipulate database connection parameters. Organizations should implement immediate mitigations including upgrading to phpMyAdmin version 4.8.5 or later, disabling the AllowArbitraryServer configuration option in production environments, and reviewing all MySQL connection parameters to ensure proper file access controls are maintained. Network segmentation and monitoring of database connection attempts can also provide additional defense in depth measures to detect potential exploitation attempts.