High severityNVD Advisory· Published Apr 26, 2013· Updated Apr 29, 2026
CVE-2013-3239
CVE-2013-3239
Description
phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 3.5.0, < 3.5.8.1 | 3.5.8.1 |
Affected products
13cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.7:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.5.8:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*
Patches
21f6bc0b70700Security: block another case of remote execution vulnerability
2 files changed · +18 −7
export.php+3 −3 modified@@ -272,10 +272,10 @@ function PMA_exportOutputHandler($line) 'Export/file_template_table', $filename_template); } } - // remove dots in template to avoid a remote code execution vulnerability - $filename_template = str_replace('.', '', $filename_template); $filename = PMA_expandUserString($filename_template); - $filename = PMA_sanitize_filename($filename); + // remove dots in filename (coming from either the template or already + // part of the filename) to avoid a remote code execution vulnerability + $filename = PMA_sanitize_filename($filename, $replaceDots = true); // Grab basic dump extension and mime type // Check if the user already added extension; get the substring where the extension would be if it was included
libraries/sanitizing.lib.php+15 −4 modified@@ -134,18 +134,29 @@ function PMA_sanitize($message, $escape = false, $safe = false) /** - * Sanitize a filename by removing anything besides A-Za-z0-9_.- + * Sanitize a filename by removing anything besides legit characters * * Intended usecase: - * When using a filename in a Content-Disposition header the value should not contain ; or " + * When using a filename in a Content-Disposition header the value + * should not contain ; or " + * + * When exporting, avoiding generation of an unexpected double-extension file * * @param string The filename + * @param boolean Whether to also replace dots * * @return string the sanitized filename * */ -function PMA_sanitize_filename($filename) { - $filename = preg_replace('/[^A-Za-z0-9_.-]/', '_', $filename); +function PMA_sanitize_filename($filename, $replaceDots = false) { + $pattern = '/[^A-Za-z0-9_'; + // if we don't have to replace dots + if (! $replaceDots) { + // then add the dot to the list of legit characters + $pattern .= '.'; + } + $pattern .= '-]/'; + $filename = preg_replace($pattern, '_', $filename); return $filename; }
d3fafdfba080Security: remove dots in template to avoid a remote code execution vulnerability
1 file changed · +2 −0
export.php+2 −0 modified@@ -272,6 +272,8 @@ function PMA_exportOutputHandler($line) 'Export/file_template_table', $filename_template); } } + // remove dots in template to avoid a remote code execution vulnerability + $filename_template = str_replace('.', '', $filename_template); $filename = PMA_expandUserString($filename_template); $filename = PMA_sanitize_filename($filename);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/phpmyadmin/phpmyadmin/commit/1f6bc0b707002e26cab216b9e57b4d5de764de48nvdExploitPatchWEB
- www.phpmyadmin.net/home_page/security/PMASA-2013-3.phpnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-gg36-9346-9qx9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-3239ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2013-May/104725.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2013-May/104770.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2013-May/104936.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2013-06/msg00181.htmlnvdWEB
- github.com/phpmyadmin/phpmyadmin/commit/d3fafdfba0807068196655e9b6d16c5d1d3ccf8anvdWEB
- archives.neohapsis.com/archives/bugtraq/2013-04/0217.htmlnvd
- www.mandriva.com/security/advisoriesnvd
- wiki.mageia.org/en/Support/Advisories/MGASA-2013-0133nvd
News mentions
0No linked articles in our index yet.