A short tour of the five CVEs I have publicly disclosed in open-source projects, from a 2018 XSS in phpMyAdmin to a 2023 path traversal in resumable.php.
I joined the phpMyAdmin team on the 27/08/2018. A lot of my early security work is on that codebase, and in particular on one feature: the Designer. I ended up coming back to it more than once.
2018 — XSS in the Designer
My first publicly credited disclosure. A specially crafted database name could be reflected in the Designer feature and execute as JavaScript in the browser.
- CVE-2018-12581 / PMASA-2018-3 — fixed in phpMyAdmin 4.8.2.
2019 — Two SQL injections in the Designer
The same surface area came back, this time as something more serious. Both bugs are triggered through crafted database names in the Designer and were rated serious by the phpMyAdmin security team.
- CVE-2019-11768 / PMASA-2019-3 — fixed in phpMyAdmin 4.8.6.
- CVE-2019-18622 / PMASA-2019-5 — same class of bug but covering a different version range (including the 4.7.x line and 4.9.x prior to 4.9.2); fixed in phpMyAdmin 4.9.2.
To be honest, my method was unscientific: I tested with every weird character I could think of in database names until something broke. It kept breaking.
2022 — Two-factor authentication bypass
A sequence of actions an already-authenticated user could perform to circumvent their own 2FA protections. The phpMyAdmin team rated this low severity because the attacker needed valid credentials first, but it was still a real bypass and worth fixing.
- CVE-2022-23807 / PMASA-2022-1 — fixed in phpMyAdmin 4.9.8 and 5.1.2.
2023 — Path traversal in dilab/resumable.php
On the 07/12/2023 I reported an arbitrary file write bug in dilab/resumable.php, the PHP back-end for resumable.js. I noticed something off in my own unit tests — the code was managing to write outside its test folder — and from there I built a small proof of concept (a path like ../../test-hack.txt in resumableFilename and resumableRelativePath) and emailed the author. After the fix, I opened a CVE request via MITRE.
- CVE-2023-52086 — GitHub advisory: GHSA-pg6w-hq9f-wfwr.
- Original report: dilab/resumable.php#34.
- Fix in the upstream: dilab/resumable.php#27.
- Also fixed in my own fork code-lts/resumable.php — commits d3552ef ("Fix remote file overwrite and arbitrary file injection in the file system") and 7e7697f ("Security fix n°2 - make chunk names safe too"), both shipped in v1.0.0.
- I wrote a dedicated post about it: CVE-2023-52086 - My security gift for the end of the year 2023.
Depending on the version of the back-end, the attack could either overwrite existing files or write new files outside the intended directory.
Closing notes
Five CVEs over five years is not a lot in the grand scheme of bug-hunting, but they are all real bugs in widely-deployed PHP code, fixed by responsive maintainers. To everyone who triaged my reports, replied to my emails, and shipped the fixes: thank you. That responsiveness is what makes coordinated disclosure worth doing.