CVE-2013-4729
Description
import.php in phpMyAdmin 4.x before 4.0.4.1 does not properly restrict the ability of input data to specify a file format, which allows remote authenticated users to modify the GLOBALS superglobal array, and consequently change the configuration, via a crafted request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin 4.x before 4.0.4.1 allows remote authenticated users to inject into the GLOBALS array via import.php, leading to configuration manipulation.
Vulnerability
import.php in phpMyAdmin 4.x before version 4.0.4.1 does not properly restrict the ability of input data to specify a file format, allowing remote authenticated users to modify the GLOBALS superglobal array and consequently change the configuration. The affected versions are 4.0.0 up to 4.0.4 [1][3].
Exploitation
An attacker must be a logged-in user of phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form [3]. The attacker crafts a request to import.php that injects values into the GLOBALS array, thereby overriding configuration parameters [1][3].
Impact
Successful exploitation enables the attacker to manipulate any configuration parameter of phpMyAdmin [3]. This can lead to a complete compromise of the phpMyAdmin configuration and potentially further exploitation of the underlying database server.
Mitigation
Upgrade to phpMyAdmin 4.0.4.1 or newer, or apply the patch from commit 012464268420e53a9cd81cbb4a43988d70393c36 [3][2]. The fix was released on 2013-07-01 [3].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.0, < 4.0.4.1 | 4.0.4.1 |
Affected products
10cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.0.4:*:*:*:*:*:*:*
- (no CPE)range: <4.0.4.1
- ghsa-coords2 versions
>= 4.0, < 4.0.4.1+ 1 more
- (no CPE)range: >= 4.0, < 4.0.4.1
- (no CPE)range: < 4.6.5.2-1.1
Patches
1012464268420[security] Global variables scope injection vulnerability (see PMASA-2013-7)
2 files changed · +21 −0
ChangeLog+3 −0 modified@@ -1,6 +1,9 @@ phpMyAdmin - ChangeLog ====================== +4.0.4.1 () +- [security] Global variables scope injection vulnerability (see PMASA-2013-7) + 4.0.4.0 (2013-06-17) - bug #3959 Using DefaultTabDatabase in NavigationTree for Database Click - bug #3961 Avoid Suhosin warning when in simulation mode
import.php+18 −0 modified@@ -122,6 +122,24 @@ * We only need to load the selected plugin */ +if (! in_array( + $format, + array( + 'csv', + 'ldi', + 'mediawiki', + 'ods', + 'shp', + 'sql', + 'xml' + ) +) +) { + // this should not happen for a normal user + // but only during an attack + PMA_fatalError('Incorrect format parameter'); +} + $post_patterns = array( '/^force_file_/', '/^'. $format . '_/'
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/phpmyadmin/phpmyadmin/commit/012464268420e53a9cd81cbb4a43988d70393c36nvdExploitPatchWEB
- www.phpmyadmin.net/home_page/security/PMASA-2013-7.phpnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-x962-w72p-mv7qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2013-4729ghsaADVISORY
News mentions
0No linked articles in our index yet.