Miggo Logo

CVE-2016-9863: phpMyAdmin DoS Vulnerability

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.69324%
Published
5/17/2022
Updated
11/2/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer>= 4.6.0, < 4.6.54.6.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper input validation (CWE-20) in table partitioning handling. Though exact commit diffs aren't available, the advisory references commit 7ddcbc0 which patched this issue. Partitioning logic in phpMyAdmin is typically handled in Partition.php. The function PMA_handlePartitioning() would process partitioning parameters from user requests. Lack of validation on input size (e.g., number of partitions or parameter length) would allow crafted large requests to cause DoS via resource exhaustion, consistent with the described vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in p*pMy**min. Wit* * v*ry l*r** r*qu*st to t**l* p*rtitionin* *un*tion, it is possi*l* to invok* * **ni*l o* S*rvi** (*oS) *tt**k. *ll *.*.x v*rsions (prior to *.*.*) *r* *****t**.

Reasoning

T** vuln*r**ility st*ms *rom improp*r input v*li**tion (*W*-**) in t**l* p*rtitionin* **n*lin*. T*ou** *x**t *ommit *i**s *r*n't *v*il**l*, t** **visory r***r*n**s *ommit `*******` w*i** p*t**** t*is issu*. P*rtitionin* lo*i* in `p*pMy**min` is typi*