CVE-2004-2631
Description
Eval injection in phpMyAdmin 2.5.1–2.5.7 allows remote attackers to execute arbitrary PHP code via a crafted table name when LeftFrameLight is disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Eval injection in phpMyAdmin 2.5.1–2.5.7 allows remote attackers to execute arbitrary PHP code via a crafted table name when LeftFrameLight is disabled.
Vulnerability
An eval injection vulnerability exists in left.php of phpMyAdmin versions 2.5.1 through 2.5.7. The eval() function is used to process table names without proper sanitization. When the configuration option $cfg['LeftFrameLight'] is set to FALSE, an attacker can inject arbitrary PHP code by supplying a specially crafted table name [3][4].
Exploitation
Exploitation requires that $cfg['LeftFrameLight'] is FALSE. The attacker must be able to influence the table name that phpMyAdmin processes. This can be achieved by directing phpMyAdmin to a malicious MySQL server that returns a crafted table name, or by manipulating input variables that affect the table name [3]. The attacker does not need authentication if they can control the MySQL server connection [4].
Impact
Successful exploitation allows remote execution of arbitrary PHP code with the permissions of the web server. This can lead to full compromise of the server, including data disclosure, modification, or denial of service [3][4].
Mitigation
The vulnerability is fixed in phpMyAdmin version 2.5.7-pl1 and later [3]. As a workaround, set $cfg['LeftFrameLight'] to TRUE to disable the vulnerable code path. Additionally, ensuring PHP safe mode is enabled or restricting outbound network connections can limit the attack surface [3][4].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
13cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.1:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_pl1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.7:*:*:*:*:*:*:*
- (no CPE)range: >=2.5.1, <=2.5.7
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application improperly handles crafted table names, allowing for code injection."
Attack vector
An attacker can exploit this vulnerability by sending a crafted table name to the `left.php` script. This crafted name contains PHP code that is then executed by the server. The exploit requires the `LeftFrameLight` configuration option to be set to `FALSE` [ref_id=1]. The attacker needs to provide specific server connection details, including host, port, authentication type, user, password, and the database name [ref_id=1].
Affected code
The vulnerability exists in the `left.php` file of phpMyAdmin. Specifically, the handling of table names, particularly when the `LeftFrameLight` configuration is disabled, is implicated. The exploit involves manipulating the data received from the MySQL server when querying for table names, replacing legitimate table names with injected PHP code [ref_id=1].
What the fix does
The advisory indicates that phpMyAdmin versions prior to 2.6.0_p2 are affected. Users are advised to upgrade to version 2.6.0_p2 or later to remediate the vulnerability [ref_id=2]. The specific code changes in the patch are not detailed in the provided references, but the upgrade resolves the issue related to the MIME-based transformation system.
Preconditions
- configThe `LeftFrameLight` configuration option must be set to `FALSE`.
- configPHP's "safe mode" must be disabled for the vulnerability to be exploitable for remote command execution [ref_id=2].
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- secunia.com/advisories/11974nvdPatchVendor Advisory
- www.osvdb.org/7314nvdPatch
- www.phpmyadmin.net/home_page/security.phpnvdPatch
- archives.neohapsis.com/archives/bugtraq/2004-06/0444.htmlnvdExploit
- eagle.kecapi.com/sec/fd/phpMyAdmin.htmlnvdExploit
- securitytracker.com/idnvdExploit
- www.securiteam.com/unixfocus/5QP040ADFW.htmlnvdExploit
- www.securityfocus.com/bid/10629nvdExploitPatch
- archives.neohapsis.com/archives/bugtraq/2004-06/0473.htmlnvd
- marc.infonvd
- www.gentoo.org/security/en/glsa/glsa-200407-22.xmlnvd
- exchange.xforce.ibmcloud.com/vulnerabilities/16542nvd
News mentions
0No linked articles in our index yet.