CVE-2016-6633: phpMyAdmin Remote code execution vulnerability when PHP is running with dbase extension
8.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.83034%
CWE
Published
5/17/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
phpmyadmin/phpmyadmin | composer | >= 4.6, < 4.6.4 | 4.6.4 |
phpmyadmin/phpmyadmin | composer | >= 4.4, < 4.4.15.8 | 4.4.15.8 |
phpmyadmin/phpmyadmin | composer | >= 4.0, < 4.0.10.17 | 4.0.10.17 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from phpMyAdmin's handling of dbase file imports via the dbase extension. The advisory explicitly links the issue to dbase extension usage, and the CWE-94 (Code Injection) suggests improper input handling during file processing. The provided phpMyAdmin security notice references commits in import-related components (e.g., 378c382, f80a250, ddeab2a), which likely patched input validation in the dbase import functionality. The ImportDbase class is directly responsible for parsing dbase files, making it the most probable location for unsafe dbase function usage (e.g., dbase_open, dbase_get_record) with untrusted input.