CVE-2005-4349
Description
SQL injection vulnerability in server_privileges.php in phpMyAdmin 2.7.0 allows remote authenticated users to execute arbitrary SQL commands via the (1) dbname and (2) checkprivs parameters. NOTE: the vendor and a third party have disputed this issue, saying that the main task of the program is to support query execution by authenticated users, and no external attack scenario exists without an auto-login configuration. Thus it is likely that this issue will be REJECTED. However, a closely related CSRF issue has been assigned CVE-2005-4450
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0:*:*:*:*:*:*:*
- (no CPE)range: =2.7.0
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization of the `dbname` and `checkprivs` parameters in `server_privileges.php` allows SQL injection."
Attack vector
A remote authenticated attacker sends a crafted URI to `server_privileges.php` with a single quote or other SQL metacharacters in the `dbname` or `checkprivs` parameters. Because these parameters are not properly neutralized, the attacker can inject arbitrary SQL commands into the database query [CWE-89]. The vendor disputes the severity, noting that the attacker must already be an authenticated privileged user, and that no auto-login configuration is assumed [ref_id=1].
Affected code
The vulnerability resides in `server_privileges.php`. The `$dbname` parameter (line 27) is checked only for wildcard characters via a regex but is not sanitized against SQL metacharacters. The `$checkprivs` parameter (lines 1197 and 1241) is used directly in SQL queries without validation [ref_id=1][ref_id=2].
What the fix does
No official patch was published at the time of disclosure; the researcher stated they were not aware of any security patch [ref_id=1][ref_id=2]. The vendor responded that the issue is not a real threat because `server_privileges.php` already checks that the user is privileged, and the attack only applies in misconfigured auto-login setups [ref_id=1]. Proper remediation would involve escaping or parameterizing the `$dbname` and `$checkprivs` inputs before they are used in SQL statements.
Preconditions
- authAttacker must be an authenticated user with privileges in phpMyAdmin
- networkThe phpMyAdmin instance must allow the attacker to reach server_privileges.php (no additional network restrictions)
- inputAttacker sends crafted HTTP GET parameters (dbname or checkprivs) containing SQL metacharacters
Reproduction
The advisory provides two proof-of-concept URIs [ref_id=1][ref_id=2]:
1. `http://victim/phpmyadmin/server_privileges.php?server=1&checkprivs='` 2. `http://victim/phpmyadmin/server_privileges.php?server=1&hostname='&username=1&dbname=1&tablename=1`
These inject a single quote into the `checkprivs` or `hostname` parameters to trigger SQL injection.
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.