Vulnerabilities

XSRF vulnerability in phpMyAdmin; there is no patch to fix this flaw so far

Vulnerability testing specialists have reported the presence of an unpatched zero-day vulnerability in the software of phpMyAdmin, one of the world’s most widely used MySQL and MariaDB database management applications. In addition to reporting the vulnerability, the experts published some details of the proof-of-concept for its exploitation.

As mentioned before, phpMyAdmin is a free and open source tool for managing MySQL and MariaDB, widely used to manage databases of websites created in products like Joomla, WordPress, among other Content Management Systems (CMS).

Manuel Garcia, an expert in cybersecurity and
vulnerability testing, was in charge of the finding. In his report, the expert
states that this is a cross-site request forgery (XSRF) vulnerability, which
involves tricking an authenticated user into executing malicious actions on the
target system.

The vulnerability, tracked as CVE-2019-12922,
was considered to be of medium severity, mainly because of its limited scope,
as its exploitation only allows threat actors to delete servers configured on
the configuration page of a phpMyAdmin panel on the victims’ server.

However, the vulnerability testing expert
points out that this attack does not allow hackers to delete databases without
interaction from victims, as they rely on sending specially crafted URLs to
specific content managers with phpMyAdmin active sessions. “The hacker
trying to exploit this flaw must trick the victim into deleting the configured
server without realizing it,” Garcia says.

In addition, “a hacker could easily create
a fake hyperlink containing the request that they want to execute through the
victim, making possible the XSRF attack due to the incorrect use of the HTTP
method,” the expert added. 

The vulnerability is present in all versions of
phpMyAdmin up to the latest (4.9.0.1). In addition, the expert added that the
flaw also resides in phpMyAdmin 5.0.0-alpha1, version released about a month
ago. The vulnerability was discovered last June; the phpMyAdmin security team
was notified in accordance with established procedures.

However, the company failed in its attempt to
release a patch to fix the vulnerability, so the specialist decided to publicly
disclose his findings, in addition to the proof-of-concept, after the 90-day
period after submitting the report to the company was fulfilled.

As the flaw remains unpatched, vulnerability
testing specialists from the International Institute of Cyber Security (IICS)
recommend resorting to some workarounds, such as implementing the validation of
the token on each call, at least until the security patch is ready.

In addition, it is strongly recommended that
administrators of websites managed with these CMS refrain from clicking on
suspicious or unverified links at least until the phpMyAdmin security team
manages to develop a patch to fix this flaw.

To Top

Pin It on Pinterest

Share This