CVE-2020-11579

Vulnerability

CVE-2020-11579 affects Chadha PHPKB 9.0 Enterprise Edition. The installer/test-connection.php endpoint (part of installation process) is left unprotected after installation, allowing unauthenticated remote attackers to trigger a MySQL connection. On hosts running PHP before 7.2.16 or with MySQL ALLOW LOCAL DATA INFILE enabled, the MySQL client allows reading arbitrary local files via the LOCAL INFILE feature [3].

Exploitation

An attacker sets up a rogue MySQL server and sends a crafted HTTP GET request to the vulnerable PHPKB endpoint, pointing the MySQL connection to the attacker's server. The attacker's server sends a malicious MySQL server greeting, and when the client requests LOAD DATA LOCAL INFILE, the attacker can specify any file path on the victim host. The file contents are sent back to the attacker's MySQL server. No authentication required, and the exploit can be performed remotely [2][3].

Impact

Successful exploitation allows an unauthenticated remote attacker to read arbitrary files from the victim host with the privileges of the web server (e.g., www-data). This can disclose sensitive information such as configuration files, database credentials, or other secrets [2][3].

Mitigation

Chadha PHPKB released a patch after the report; users should upgrade to the latest version. Additionally, ensure PHP is updated to at least 7.2.16 to disable the default LOCAL INFILE behavior, or disable ALLOW LOCAL DATA INFILE in MySQL configuration. The vulnerable endpoint should be removed or protected after installation [2][3].