CVE-2013-3238
Description
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated remote code execution in phpMyAdmin via preg_replace() null-byte injection in the Replace table prefix feature.
Vulnerability
phpMyAdmin versions 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 are vulnerable to remote code execution in the "Replace table prefix" feature. The application passes user-supplied input to preg_replace() without proper sanitization. By injecting a null byte (\x00) followed by an /e modifier, an attacker can leverage PHP's preg_replace code execution behavior (when the /e modifier is present) to execute arbitrary PHP code [3]. The affected versions are explicitly listed in [3].
Exploitation
An attacker must be authenticated to phpMyAdmin. The vulnerability is triggered by crafting a malicious prefix replacement pattern containing a /e\x00 sequence. The /e modifier causes preg_replace to evaluate the replacement string as PHP code, and the null byte prevents proper validation. The exploit can be performed via the "Replace table prefix" form under the "Operations" tab [1][3]. A Metasploit module is available [1].
Impact
Successful exploitation allows a remote authenticated attacker to execute arbitrary PHP code on the web server with the privileges of the web server user. This can lead to full compromise of the phpMyAdmin installation and potentially the underlying database [3].
Mitigation
Upgrade to phpMyAdmin 3.5.8 or newer (for 3.5.x) or 4.0.0-rc3 or newer (for 4.x) [3]. The fix involves proper null-byte filtering before passing input to preg_replace() as seen in commit [2]. Distribution-specific updates are available, e.g., Mageia advisory MGASA-2013-0133 [4]. No known workaround exists for unpatched versions; the feature should be disabled if upgrade is not possible.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*+ 13 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*
- (no CPE)range: 3.5.x before 3.5.8, 4.x before 4.0.0-rc3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input sanitization allows a null-byte-terminated `/e` PCRE modifier to be injected into `preg_replace()`, enabling arbitrary PHP code execution."
Attack vector
An authenticated attacker sends a POST request to `db_structure.php` with `query_type` set to `replace_prefix_tbl`, a crafted `from_prefix` containing `/e\0` (a null byte after the `/e` PCRE modifier), and arbitrary PHP code in `to_prefix` [ref_id=1]. The null byte truncates the regex pattern, while the `/e` modifier causes `preg_replace()` to evaluate the replacement string as PHP code, resulting in remote code execution on the server [ref_id=1][ref_id=3]. PHP versions older than 5.4.7 are required for the `/e` modifier to be exploitable [ref_id=1].
Affected code
The vulnerable code is in `libraries/mult_submits.inc.php` within the `replace_prefix_tbl` and `copy_tbl_change_prefix` cases. The `from_prefix` parameter is passed directly into `preg_replace()` without sanitization [ref_id=1][ref_id=4]. A secondary fix in `libraries/Tracker.class.php` also strips null bytes from database names before passing them to `preg_replace()` [ref_id=2].
What the fix does
The primary fix in commit `dedd542` replaces the `preg_replace()` call with a simple string prefix comparison using `substr()` and string concatenation, completely removing the use of `preg_replace()` for the table prefix replacement logic [ref_id=4]. A secondary fix in commit `ffa720d` strips null bytes from database names via `str_replace("\0", "", $dbname)` before they reach any `preg_replace()` call in `Tracker.class.php` [ref_id=2]. Together these changes eliminate both the null-byte injection vector and the dangerous use of `preg_replace()` with user-controlled patterns.
Preconditions
- authAttacker must have valid phpMyAdmin credentials (authenticated user)
- configTarget must run PHP version older than 5.4.7 (where /e modifier is exploitable)
- networkAttacker must have network access to the phpMyAdmin web interface
- inputAttacker sends crafted POST parameters including /e\0 as from_prefix
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- archives.neohapsis.com/archives/bugtraq/2013-04/0217.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.htmlnvd
- lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.htmlnvd
- lists.opensuse.org/opensuse-updates/2013-06/msg00181.htmlnvd
- www.exploit-db.com/exploits/25136nvd
- www.mandriva.com/security/advisoriesnvd
- www.phpmyadmin.net/home_page/security/PMASA-2013-2.phpnvd
- github.com/phpmyadmin/phpmyadmin/commit/dedd542cdaf1606ca9aa3f6f8f8adb078d8ad549nvd
- github.com/phpmyadmin/phpmyadmin/commit/ffa720d90a79c1f33cf4c5a33403d09a67b42a66nvd
- wiki.mageia.org/en/Support/Advisories/MGASA-2013-0133nvd
News mentions
0No linked articles in our index yet.