High severityNVD Advisory· Published Mar 26, 2009· Updated Apr 23, 2026

CVE-2009-1149

Description

CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB streaming feature in phpMyAdmin before 3.1.3.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the (1) c_type and possibly (2) file_type parameters.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
phpmyadmin/phpmyadminPackagist	< 3.1.3.1	3.1.3.1

Affected products

PhpMyAdmin/phpMyAdmin8 versions
cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:*:*:*:*:*:*:*:*range: <=3.1.3
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:rc1:*:*:*:*:*:*

Patches

69bfbf11c7e9

Protect against inclusion of arbitrary file and HTTP header splitting.

https://github.com/phpmyadmin/phpmyadminMichal ČihařMar 24, 2009via ghsa

commit

2 files changed · +52 −33

bs_disp_as_mime_type.php+50 −32 modified

@@ -6,47 +6,65 @@
  * @package     BLOBStreaming
  */
 
+/**
+ * Core library.
+ */
+require_once './libraries/common.inc.php';
+
+// load PMA configuration
+$PMA_Config = $_SESSION['PMA_Config'];
+
+// retrieve BS server variables from PMA configuration
+$bs_server = $PMA_Config->get('BLOBSTREAMING_SERVER');
+if (empty($bs_server)) die('No blob streaming server configured!');
+
+// Check URL parameters
+PMA_checkParameters(array('reference', 'c_type'));
+
+// Increase time limit, because fetching blob might take some time
 set_time_limit(0);
 
-$filename = isset($_REQUEST['file_path']) ? $_REQUEST['file_path'] : NULL;
-$c_type = isset($_REQUEST['c_type']) ? $_REQUEST['c_type'] : NULL;
+$reference = $_REQUEST['reference'];
+/*
+ * FIXME: Maybe it would be better to check MIME type against whitelist as
+ * this code sems to support only few MIME types (check
+ * function PMA_BS_CreateReferenceLink in libraries/blobstreaming.lib.php).
+ */
+$c_type = preg_replace('/[^A-Za-z0-9/_-]/', '_', $_REQUEST['c_type']);
+
+$filename = 'http://' . $bs_server . '/' . $reference;
 
-if (isset($filename) && isset($c_type))
-{
-	$hdrs = get_headers($filename, 1);
+$hdrs = get_headers($filename, 1);
 
-	if (is_array($hdrs))
-		$f_size = $hdrs['Content-Length'];
+if ($hdrs === FALSE) die('Failed to fetch headers');
 
-	header("Expires: 0");
-	header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
-	header("Cache-Control: no-store, no-cache, must-revalidate");
-	header("Cache-Control: post-check=0, pre-check=0", false);
-	header("Pragma: no-cache");
-	header("Content-type: $c_type");
-	header('Content-length: ' . $f_size);
-	header("Content-disposition: attachment; filename=" . basename($filename));
+$fHnd = fopen($filename, "rb");
 
-	$fHnd = fopen($filename, "rb");
+if ($fHnd === FALSE) die('Failed to open remote URL');
 
-	if ($fHnd)
-	{
-		$pos = 0;
-		$content = "";
+$f_size = $hdrs['Content-Length'];
 
-		while (!feof($fHnd))
-		{
-			$content .= fread($fHnd, $f_size);
-			$pos = strlen($content);
+header("Expires: 0");
+header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
+header("Cache-Control: no-store, no-cache, must-revalidate");
+header("Cache-Control: post-check=0, pre-check=0", false);
+header("Pragma: no-cache");
+header("Content-type: $c_type");
+header('Content-length: ' . $f_size);
+header("Content-disposition: attachment; filename=" . basename($filename));
 
-			if ($pos >= $f_size)
-				break;
-		}
+$pos = 0;
+$content = "";
 
-		echo $content;
-		flush();
+while (!feof($fHnd)) {
+    $content .= fread($fHnd, $f_size);
+    $pos = strlen($content);
 
-		fclose($fHnd);
-	}
+    if ($pos >= $f_size)
+        break;
 }
-?>
+
+echo $content;
+flush();
+
+fclose($fHnd);

bs_play_media.php+2 −1 modified

@@ -40,7 +40,8 @@
             $bs_file_path = "http://" . $bs_server . '/' . $bsReference;
 
 	    if (isset($customType) && $customType)
-		    $bs_file_path = "bs_disp_as_mime_type.php?file_path=" . urlencode($bs_file_path) . "&c_type=" . urlencode($mediaType);
+
+		    $bs_file_path = 'bs_disp_as_mime_type.php' . PMA_generate_common_url(array('reference' => $bsReference, 'c_type' => $mediaType));
 
             ?>
 <html>

Vulnerability mechanics

Root cause

"Missing input validation on the `c_type` parameter allows CRLF injection into HTTP response headers."

Attack vector

An attacker sends a crafted HTTP request to `bs_disp_as_mime_type.php` with a `c_type` parameter containing CRLF sequences (e.g., `%0d%0a`). The vulnerable code passes this unsanitized value directly to PHP's `header()` function [CWE-20]. This enables HTTP response splitting: the attacker can inject arbitrary HTTP headers and body content after the CRLF, potentially poisoning caches, hijacking pages, or conducting cross-site scripting attacks. The attack requires no authentication and is performed over HTTP.

Affected code

The vulnerability is in `bs_disp_as_mime_type.php` (patched in commit 69bfbf11c7e9487dfa96293aaa797ff14bb513f0). The `c_type` parameter from `$_REQUEST` was passed directly to `header("Content-type: $c_type")` without sanitization. The related file `bs_play_media.php` also passed unsanitized parameters to the vulnerable script.

What the fix does

The patch sanitizes the `c_type` parameter by applying `preg_replace('/[^A-Za-z0-9/_-]/', '_', $_REQUEST['c_type'])` before it reaches `header()` [patch_id=22074]. This strips all characters that are not alphanumeric, slash, underscore, or hyphen, which eliminates CR (`\r`), LF (`\n`), and other dangerous characters. Additionally, the patch replaces the old `file_path` parameter with a `reference` parameter that is used to construct a URL internally, removing the previous arbitrary file inclusion vector. The call to `PMA_checkParameters` ensures required parameters are present before processing.

Preconditions

networkAttacker must be able to send HTTP requests to the phpMyAdmin instance
configBLOB streaming feature must be enabled and a blob streaming server configured

Generated by deepseek/deepseek-v4-flash-20260423 on May 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/MAINT_3_1_3/phpMyAdmin/bs_disp_as_mime_type.phpnvdPatchWEB
www.phpmyadmin.net/home_page/security/PMASA-2009-1.phpnvdPatchVendor AdvisoryWEB
github.com/advisories/GHSA-xrpq-63mp-9vcwghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2009-1149ghsaADVISORY
lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.htmlnvdWEB
github.com/phpmyadmin/phpmyadmin/commit/69bfbf11c7e9487dfa96293aaa797ff14bb513f0ghsaWEB
secunia.com/advisories/34468nvd
secunia.com/advisories/34642nvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000