Warning: Researcher Drops phpMyAdmin Zero-Day Affecting All Versions

News

A cybersecurity researcher recently published details and proof-of-concept for an unpatched zero-day vulnerability in phpMyAdmin—one of the most popular applications for managing the MySQL and MariaDB databases.

phpMyAdmin is a free and open source administration tool for MySQL and MariaDB that’s widely used to manage the database for websites created with WordPress, Joomla, and many other content management platforms.

Discovered by security researcher and pentester Manuel Garcia Cardenas, the vulnerability claims to be a cross-site request forgery (CSRF) flaw, also known as XSRF, a well-known attack wherein attackers trick authenticated users into executing an unwanted action.

Identified as CVE-2019-12922, the flaw has been given a medium rating because of its limited scope that only allows an attacker to delete any server in the Setup page of a phpMyAdmin victim by triggering a CSRF attack.

All an attacker needs to do is send a crafted URL to targeted web administrators, who already have logged in to their phpMyAdmin panel on the same browser, tricking them into unknowingly delete (DROP) the entire server by simply clicking on it.

“The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf of the user, in this way making possible a CSRF attack due to the wrong use of HTTP method,” Cardenas explains in a post to the Full Disclosure mailing list.

The vulnerability is trivial to exploit because other than knowing the URL of a targeted server, an attacker doesn’t need to know the name of the database server he wants to drop.

Proof of Concept Exploit Code

phpmyadmin exploit

The vulnerability affects phpMyAdmin versions up to and including 4.9.0.1, which is the latest version of the software at the time of writing.

The security flaw also resides in phpMyAdmin 5.0.0-alpha1, which was released in July 2019, Cardenas told The Hacker News.

Cardenas discovered this vulnerability back in June 2019, and also responsibly reported it to the project maintainers.

However, after phpmyAdmin maintainers failed to patch the vulnerability within 90 days of being notified, the researcher decided to release the vulnerability details and PoC to the public on 13 September.

To address this vulnerability, Cardenas recommended to “implement in each call the validation of the token variable, as already done in other phpMyAdmin requests,” as a solution.

Until the maintainers patch the vulnerability, website administrators and hosting providers are highly recommended to avoid clicking any suspicious links.

Products You May Like

Articles You May Like

Girl Scouts of USA Launch First National Cybersecurity Challenge
YellowHeart allows musicians and concert organizers to take more control of resold tickets
The Information will launch Ticker, a tech news app that costs $29 per year
CDM and the 2019 Billington Cybersecurity Summit
DevSecOps model requires security get out of its comfort zone

Leave a Reply

Your email address will not be published. Required fields are marked *