Security researcher Manuel Garcia Cardenas has published the details and exploit (PoC code) for the vulnerability in phpMyAdmin.
The vulnerability is related to Cross-Site Request Forgery (CSRF), and its exploitation allows attackers to trick authenticated users into deleting the server.CSRF is a well-known category of web security bug so its appearance in such a widely used software tool as phpMyAdmin is not a surprise.
Read also: NETGEAR fixes DoS vulnerabilities in its N300 routers
The discovered vulnerability (CVE-2019-12922) allows an attacker to delete any configured server in the phpMyAdmin panel of the victim. The criminal needs only to send the generated URL to the target web-administrators authorized in the phpmyAdmin panel in the same browser and trick them into deleting the configured server on the settings page.
“An attacker can easily create a fake hyperlink containing a request that is executed on behalf of the user, thus making it possible for the CSRF attack to be caused by the incorrect use of the HTTP method”, – explains Cardenas.
This vulnerability affects phpMyAdmin versions up to the latest version 4.9.0.1, as well as the phpMyAdmin 5.0.0-alpha1 build, released in July 2019.
The vulnerability was discovered in June 2019, but after 90 days, the developers have not fixed it.
“The developers did not patch the vulnerability yet. I notified on the 13th of June, request again on the 16th of July… and released the full disclosure on the 13th of September (90 days later of the first notify).They did not correct in 5.0.0-alpha1”, — told Manuel Garcia Cardenas.
Although the vulnerability allows disruption of service it does not enable remote code execution-style attacks.
Solution:
Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests.
PhpMyAdmin is a free, open source administration tool for MySQL and MariaDB that is widely used to manage the database for websites created using WordPress, Joomla, etc.
