VYPR
← All advisories
High severityNVD Advisory· Published Jun 21, 2018· Updated Aug 5, 2024

CVE-2018-12613

CVE-2018-12613

Description

An issue was discovered in phpMyAdmin 4.8.x before 4.8.2, in which an attacker can include (view and potentially execute) files on the server. The vulnerability comes from a portion of code where pages are redirected and loaded within phpMyAdmin, and an improper test for whitelisted pages. An attacker must be authenticated, except in the "$cfg['AllowArbitraryServer'] = true" case (where an attacker can specify any host he/she is already in control of, and execute arbitrary code on phpMyAdmin) and the "$cfg['ServerDefault'] = 0" case (which bypasses the login requirement and runs the vulnerable code without any authentication).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin 4.8.x before 4.8.2 allows authenticated (or unauthenticated in certain configs) file inclusion, leading to code execution.

Vulnerability

phpMyAdmin versions 4.8.0 and 4.8.1 (before 4.8.2) contain a file inclusion vulnerability in code that handles page redirection and loading. An improper whitelist check allows an attacker to include arbitrary files from the server. The affected code path is reachable when a user, authenticated or under specific configurations ($cfg['AllowArbitraryServer'] = true or $cfg['ServerDefault'] = 0), interacts with certain redirect logic. [2]

Exploitation

An attacker must be authenticated, except in two cases: when $cfg['AllowArbitraryServer'] = true, an attacker can specify a controlled host and execute arbitrary code on phpMyAdmin; when $cfg['ServerDefault'] = 0, the login requirement is bypassed entirely, and the vulnerable code runs without authentication. The attack involves sending a crafted request that passes a malicious file path to the include mechanism. [1][2][3]

Impact

Successful exploitation allows an attacker to view and potentially execute arbitrary files on the server. This can lead to remote code execution (RCE) with the privileges of the web server process, resulting in full compromise of the phpMyAdmin installation and potentially the underlying system. [1][2][3]

Mitigation

The vulnerability is fixed in phpMyAdmin version 4.8.2, released on 2018-06-21. Users should upgrade immediately. No workarounds are mentioned in the available references; however, disabling the AllowArbitraryServer setting and ensuring ServerDefault is not set to 0 reduces the attack surface for unauthenticated exploitation. [2][4]

References
  1. Packet Storm
  2. NVD - CVE-2018-12613
  3. OffSec’s Exploit Database Archive
  4. GitHub - phpmyadmin/composer: Read only composer repository for phpMyAdmin

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phpmyadmin/phpmyadminPackagist
>= 4.8, < 4.8.24.8.2

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Improper whitelist validation in `Core::checkPageValidity()` allows double-URL-encoded payloads to bypass the check, leading to local file inclusion via `include $_REQUEST['target']`."

Attack vector

An authenticated attacker sends a crafted `target` parameter to `index.php` that is double-URL-encoded (e.g., `db_sql.php%253f/../../...`) to bypass the whitelist check in `Core::checkPageValidity()` [ref_id=2]. The double encoding causes the server-side `urldecode()` to decode `%253f` into `%3f` (a literal `?`), which passes the whitelist test, but when the parameter is later used in `include $_REQUEST['target']`, PHP decodes it again, turning `%3f` into `?` and allowing directory traversal [ref_id=2]. In the `$cfg['AllowArbitraryServer'] = true` case, an unauthenticated attacker can specify an arbitrary host they control; in the `$cfg['ServerDefault'] = 0` case, no authentication is required at all [CWE-287].

Affected code

The vulnerability resides in `/index.php` at line 61, which contains `include $_REQUEST['target'];` [ref_id=2]. The whitelist validation is performed by `Core::checkPageValidity()` in `libraries/classes/core.php` around line 443, but the `urldecode()` call on line 465 of that method allows double-URL-encoded payloads to bypass the check [ref_id=2].

What the fix does

The advisory does not include a patch diff, but the fix in phpMyAdmin 4.8.2 addresses the improper whitelist validation by correcting the `Core::checkPageValidity()` method to prevent double-URL-encoding bypasses [ref_id=2]. The remediation ensures that the `target` parameter is properly decoded and validated before being passed to `include`, closing the LFI vector. Users are advised to upgrade to phpMyAdmin 4.8.2 or later.

Preconditions

  • authAttacker must be authenticated to phpMyAdmin (except when $cfg['AllowArbitraryServer']=true or $cfg['ServerDefault']=0)
  • configTarget must be running phpMyAdmin 4.8.0 or 4.8.1
  • networkAttacker must have network access to the phpMyAdmin web interface
  • inputAttacker sends a double-URL-encoded 'target' parameter to index.php

Reproduction

1. Authenticate to phpMyAdmin (or access without authentication if `$cfg['ServerDefault'] = 0`). 2. Send a GET request to `index.php` with a double-URL-encoded `target` parameter, e.g.: `http://target/phpmyadmin/index.php?target=db_sql.php%253f/../../../../../../windows/wininit.ini` [ref_id=2]. 3. The server includes the specified file, allowing viewing and potential execution of arbitrary files. 4. For RCE, create a database table with a PHP payload as a column value, then include the resulting `.frm` data file via the same LFI vector [ref_id=1][ref_id=2].

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

13

News mentions

0

No linked articles in our index yet.