CVE-2009-1151

What is phpMyAdmin?

phpMyAdmin is an open-source, browser-based administration tool for MySQL and MariaDB databases, written in PHP. It provides a graphical interface for database administrators to manage databases, tables, users, and data without needing direct command-line access. phpMyAdmin is one of the most widely deployed web applications in the world — it ships with or is installed alongside MySQL/MariaDB in most Linux-based web hosting environments and is included by default in control panels like cPanel and Plesk. Because phpMyAdmin provides direct MySQL access and often runs with full database administrator credentials, a compromise of phpMyAdmin is equivalent to full compromise of the target database server.

Overview

CVE-2009-1151 is a critical remote code execution vulnerability (CWE-94, CVSS 9.8) in phpMyAdmin. The setup script (setup.php), which is used during initial configuration to generate phpMyAdmin's configuration file, could be tricked via a crafted HTTP POST request into writing arbitrary PHP code into the generated configuration file. This code would then execute on the server when the configuration file was loaded. The vulnerability required no authentication, and affected all phpMyAdmin installations where setup.php was accessible after initial setup. Fixed in phpMyAdmin 2.11.10 and 3.1.3.1. CISA added to KEV in March 2022.

Affected Versions

Note: phpMyAdmin 2.x is long past end-of-life. All deployments should run current supported phpMyAdmin versions with setup.php protected or removed.

Technical Details

The vulnerability (CWE-94: Code Injection) exists in the setup.php script distributed with phpMyAdmin. The setup script is intended to be used once during initial configuration to interactively generate a config.inc.php file containing database connection parameters. The script was not intended to remain accessible after initial setup but was routinely left in place.

The exploit mechanism:

1. The setup.php script accepts configuration parameters via HTTP POST requests
2. It generates PHP code based on those parameters and writes the result to config.inc.php (or a similarly named configuration file)
3. The script failed to sanitize the POST parameter values before embedding them in the generated PHP code
4. An attacker could inject arbitrary PHP code (such as system() or eval() calls) into a POST parameter
5. The injected code would be written verbatim into config.inc.php
6. On the next request to phpMyAdmin, the configuration file was loaded by PHP's require() or include(), executing the injected code with the privileges of the web server process

Because phpMyAdmin runs with web server privileges and typically has direct access to the MySQL server (and often to MySQL root credentials stored in the config file), this provides immediate RCE with database administrator access.

Discovery

Identified through security research into phpMyAdmin's setup functionality. The vulnerability was extremely simple to exploit — any HTTP client could send a crafted POST request to setup.php without any authentication. The issue reflected a common web application security failure: a configuration utility left accessible after installation that wasn't designed with any access controls.

Exploitation Context

phpMyAdmin's setup.php vulnerability was massively exploited across the internet:

• Mass exploitation via web scanners: Automated vulnerability scanners and exploit tools swept the internet looking for accessible phpMyAdmin setup.php endpoints. On shared web hosting servers (which often had hundreds or thousands of virtual hosts), a single successful exploit could yield multiple MySQL databases.
• Web hosting provider impact: The vulnerability was particularly damaging on shared web hosting environments, where phpMyAdmin was installed for all customers. A single vulnerable server could expose dozens or hundreds of customers' databases.
• Database credential harvesting: Even if an attacker only needed database access rather than full server RCE, phpMyAdmin's config files contain MySQL credentials — simply reading config.inc.php from a compromised site could yield MySQL root passwords.
• WordPress and Joomla site compromise: Web hosting environments hosting CMS installations often had phpMyAdmin installed alongside. Exploiting phpMyAdmin provided access to all databases, enabling mass defacement, data theft, and malware injection into CMS sites.
• Long-tail exploitation: The March 2022 CISA KEV addition reflects that phpMyAdmin installations running versions from 2009 or earlier continued to exist and were being actively compromised, particularly on neglected web servers.

Remediation

1. Upgrade phpMyAdmin: Upgrade to version 2.11.10 or 3.1.3.1 (minimum) or, preferably, the current latest phpMyAdmin release which includes all subsequent security fixes.
2. Remove or protect setup.php: After initial configuration, delete or restrict access to setup.php. On production phpMyAdmin installations, setup.php should never be publicly accessible.
3. Restrict phpMyAdmin access: Limit phpMyAdmin to specific trusted IP addresses via web server configuration (.htaccess or server config). phpMyAdmin should never be exposed to the public internet.
4. Require authentication: Ensure phpMyAdmin is protected by HTTP Basic Auth or a VPN requirement in addition to MySQL authentication.
5. Audit for compromise: If setup.php was publicly accessible, review config.inc.php and web server access logs for indicators of exploitation — unexpected PHP code in configuration files, MySQL queries indicating unauthorized access.