CVE-2005-3299
Description
PHP file inclusion vulnerability in grab_globals.lib.php in phpMyAdmin 2.6.4 and 2.6.4-pl1 allows remote attackers to include local files via the $__redirect parameter, possibly involving the subform array.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl1:*:*:*:*:*:*:*
- (no CPE)range: <=2.6.4-pl1
Patches
Vulnerability mechanics
Root cause
"The application fails to properly validate the value of the $__redirect parameter before including a file."
Attack vector
An attacker can send a POST request to the phpMyAdmin index.php page. This request must include the parameter 'usesubform' and a nested 'subform' array containing a 'redirect' key. The value of the 'redirect' key will be used to include a local file, leading to a local file inclusion vulnerability [ref_id=1]. This attack does not require authentication and can be performed remotely [ref_id=1].
Affected code
The vulnerability exists in the file ./libraries/grab_globals.lib.php. Specifically, lines 101-104 handle the inclusion of a file based on the $__redirect variable, which is populated earlier in the script (lines 53-67) from POST data, including a 'redirect' parameter within a 'subform' array [ref_id=1].
What the fix does
The advisory recommends upgrading to phpMyAdmin version 2.6.4-pl2 or newer to resolve this vulnerability [ref_id=3]. The patch, not provided in the bundle, likely addresses the improper validation of the $__redirect parameter in libraries/grab_globals.lib.php to prevent arbitrary file inclusions.
Preconditions
- configThe system must not be running in PHP safe mode, or open_basedir restrictions must allow access to sensitive data [ref_id=3].
- authNo authentication is required to exploit this vulnerability [ref_id=1].
- inputThe attacker must be able to control the $__redirect parameter via POST data, specifically through a 'subform' array containing a 'redirect' key [ref_id=1].
Reproduction
<CENTER> <A HREF="http://cxsecurity.com"><IMG SRC="http://cxsecurity.com/gfx/small_logo.png"></A><P> <FORM action="http://localhost/phpMyAdmin-2.6.4-pl1/index.php" method=post enctype="multipart/form-data"> <input TYPE="hidden" name="usesubform[1]" value="1"> <input TYPE="hidden" name="usesubform[2]" value="1"> <input TYPE="text" name="subform[1][redirect]" value="../../../../../etc/passwd" size=30> File<p> <input TYPE="hidden" name="subform[1][cXIb8O3]" value="1"> <input TYPE="submit" value="Exploit"> </FORM> - -Exploit--- [ref_id=1]
Generated on Jun 3, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- secunia.com/advisories/17137nvdPatchVendor Advisory
- www.gentoo.org/security/en/glsa/glsa-200510-16.xmlnvdPatchVendor Advisory
- www.phpmyadmin.net/home_page/security.phpnvdPatchVendor Advisory
- securityreason.com/securityalert/69nvd
- www.securityfocus.com/bid/15053nvd
News mentions
0No linked articles in our index yet.