Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2009-1149

CVE-2009-1149:
phpMyAdmin HTTP Response Splitting Vulnerability

7.5

CVSS Score

Basic Information

CVE ID
CVE-2009-1149
GHSA ID
GHSA-xrpq-63mp-9vcw
EPSS Score
-
CWE
CWE-20
Published
5/2/2022
Updated
1/23/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer< 3.1.3.13.1.3.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis focused on the changes made to bs_disp_as_mime_type.php, particularly how the 'c_type' parameter is sanitized in the patch. The 'header' function is identified as a vulnerable function because it's used with user-controlled input that was not properly sanitized before the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*RL* inj**tion vuln*r**ility in `*s_*isp_*s_mim*_typ*.p*p` in t** *LO* str**min* ***tur* in p*pMy**min ***or* *.*.*.* *llows r*mot* *tt**k*rs to inj**t *r*itr*ry *TTP *****rs *n* *on*u*t *TTP r*spons* splittin* *tt**ks vi* t** (*) `*_typ*` *n* possi*

Reasoning

T** *n*lysis *o*us** on t** ***n**s m*** to *s_*isp_*s_mim*_typ*.p*p, p*rti*ul*rly *ow t** '*_typ*' p*r*m*t*r is s*nitiz** in t** p*t**. T** '*****r' *un*tion is i**nti*i** *s * vuln*r**l* *un*tion ****us* it's us** wit* us*r-*ontroll** input t**t w*