High severityNVD Advisory· Published Jul 14, 2011· Updated Apr 29, 2026

CVE-2011-2506

Description

Static code injection in phpMyAdmin's ConfigGenerator.class.php allows attackers with SESSION control to inject arbitrary PHP code, leading to remote code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Static code injection in phpMyAdmin's ConfigGenerator.class.php allows attackers with SESSION control to inject arbitrary PHP code, leading to remote code execution.

Vulnerability

The vulnerability resides in setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1. The file does not properly restrict the presence of comment closing delimiters (*/), allowing attackers who can manipulate the $_SESSION superglobal array to inject static PHP code into generated configuration files [1][2].

Exploitation

An attacker first exploits a related vulnerability (CVE-2011-2505) in swekey.auth.lib.php that uses parse_str() without a second argument, enabling arbitrary $_SESSION variable injection [2]. By setting specific session variables, the attacker then triggers the ConfigGenerator to produce a configuration file containing injected PHP code. This requires no authentication and can be performed remotely [2][3].

Impact

Successful exploitation results in remote code execution under the privileges of the web server. The attacker can execute arbitrary PHP commands, leading to full compromise of the phpMyAdmin installation and potential access to underlying databases and the server [2][3].

Mitigation

Upgrade to phpMyAdmin 3.3.10.2 or 3.4.3.1, which include the fix [1][2]. No workarounds are available; updating is mandatory. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
phpmyadmin/phpmyadminPackagist	>= 3.0, < 3.3.10.2	3.3.10.2
phpmyadmin/phpmyadminPackagist	>= 3.4, < 3.4.3.1	3.4.3.1

Affected products

PhpMyAdmin/phpMyAdmin49 versions
cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*+ 48 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.0.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.1.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.2.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.10.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.3.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.3.0:*:*:*:*:*:*:*
- (no CPE)range: <3.3.10.2, <3.4.3.1
ghsa-coords
pkg:composer/phpmyadmin/phpmyadmin
Range: >= 3.0, < 3.3.10.2

Patches

0fbedaf5fd7a

Fixed possible code injection incase session variables are compromised, see PMASA-2011-6

https://github.com/phpmyadmin/phpmyadminHerman van RinkJun 30, 2011via ghsa

commit

2 files changed · +2 −1

ChangeLog+1 −0 modified

@@ -3,6 +3,7 @@ phpMyAdmin - ChangeLog
 
 3.4.3.1 (not yet released)
 - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5
+- [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6
 
 3.4.3.0 (2011-06-27)
 - bug #3311170 [sync] Missing helper icons in Synchronize

setup/lib/ConfigGenerator.class.php+1 −1 modified

@@ -39,7 +39,7 @@ public static function getConfigFile()
         if ($cf->getServerCount() > 0) {
             $ret .= "/* Servers configuration */$crlf\$i = 0;" . $crlf . $crlf;
             foreach ($c['Servers'] as $id => $server) {
-                $ret .= '/* Server: ' . strtr($cf->getServerName($id), '*/', '-') . " [$id] */" . $crlf
+                $ret .= '/* Server: ' . strtr($cf->getServerName($id) . " [$id] ", '*/', '-') . "*/" . $crlf
                     . '$i++;' . $crlf;
                 foreach ($server as $k => $v) {
                     $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k);

2e01647949df

Fixed possible code injection incase session variables are compromised

https://github.com/phpmyadmin/phpmyadminHerman van RinkJun 29, 2011via ghsa

commit

2 files changed · +2 −1

ChangeLog+1 −0 modified

@@ -7,6 +7,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 
 3.3.10.2 (not yet released)
 - [security] Fixed possible session corruption in swekey authentication
+- [security] Fixed possible code injection incase session variables are compromised 
 
 3.3.10.1 (2011-05-20)
 - [security] XSS on Tracking page

setup/lib/ConfigFile.class.php+1 −1 modified

@@ -286,7 +286,7 @@ public function getConfigFile()
         if ($this->getServerCount() > 0) {
             $ret .= "/* Servers configuration */$crlf\$i = 0;" . $crlf . $crlf;
             foreach ($c['Servers'] as $id => $server) {
-                $ret .= '/* Server: ' . strtr($this->getServerName($id), '*/', '-') . " [$id] */" . $crlf
+                $ret .= '/* Server: ' . strtr($this->getServerName($id) . " [$id] ", '*/', '-') . "*/" . $crlf
                     . '$i++;' . $crlf;
                 foreach ($server as $k => $v) {
                     $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.027
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000