PHPMyAdmin 4.8.0 ~ 4.8.1 Remote Code Execution

TL;DR

I discovered a file inclusion vulnerability in index.php from PMA 4.8.0 ~ 4.8.1, and it is assigned CVE-2018–12613. It is caused by a validation bypass in the vulnerable path checking function Core::checkPageValidity. This vulnerability enables an authenticated remote attacker to execute arbitrary PHP code on the server.

Vulnerability Explained

There is a file inclusion in index.php:

if (! empty($_REQUEST['target'])
    && is_string($_REQUEST['target'])
    && ! preg_match('/^index/', $_REQUEST['target'])
    && ! in_array($_REQUEST['target'], $target_blacklist)
    && Core::checkPageValidity($_REQUEST['target'])
) {
    include $_REQUEST['target'];
    exit;
}
// ...

This include used to be properly protected by the conditions in the if statement, but in the 4.8.0 release, the last check is changed to reuse the existing function, Core::checkPageValidity, which (I think) is meant to check URL paths. Hence we can exploit URL features to reach arbitrary file inclusion. The function goes like:

public static function checkPageValidity(&$page, array $whitelist = [])
{
    // ...
    $_page = mb_substr(
        $page,
        0,
        mb_strpos($page . '?', '?')
    );
    // $whitelist == array('db_datadict.php', 'sql.php', ...)
    if (in_array($_page, $whitelist)) {
        return true;
    }
    // ...
    return false;
}