A cybersecurity researcher recently published details and proof-of-concept for an unpatched zero-day vulnerability in phpMyAdmin—one of the most popular applications for managing the MySQL and MariaDB databases.
phpMyAdmin is a free and open source administration tool for MySQL and MariaDB that’s widely used to manage the database for websites created with WordPress, Joomla, and many other content management platforms.
Discovered by security researcher and pentester Manuel Garcia Cardenas, the vulnerability claims to be a cross-site request forgery (CSRF) flaw, also known as XSRF, a well-known attack wherein attackers trick authenticated users into executing an unwanted action.
Identified as CVE-2019-12922, the flaw has been given a medium rating because of its limited scope that only allows an attacker to delete any server in the Setup page of a phpMyAdmin victim by triggering a CSRF attack.
All an attacker needs to do is send a crafted URL to targeted web administrators, who already have logged in to their phpMyAdmin panel on the same browser, tricking them into unknowingly delete (DROP) the entire server by simply clicking on it.
“The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf of the user, in this way making possible a CSRF attack due to the wrong use of HTTP method,” Cardenas explains in a post to the Full Disclosure mailing list.
The vulnerability is trivial to exploit because other than knowing the URL of a targeted server, an attacker doesn’t need to know the name of the database server he wants to drop.
Proof of Concept Exploit Code
The vulnerability affects phpMyAdmin versions up to and including 18.104.22.168, which is the latest version of the software at the time of writing.
The security flaw also resides in phpMyAdmin 5.0.0-alpha1, which was released in July 2019, Cardenas told The Hacker News.
Cardenas discovered this vulnerability back in June 2019, and also responsibly reported it to the project maintainers.
However, after phpmyAdmin maintainers failed to patch the vulnerability within 90 days of being notified, the researcher decided to release the vulnerability details and PoC to the public on 13 September.
To address this vulnerability, Cardenas recommended to “implement in each call the validation of the token variable, as already done in other phpMyAdmin requests,” as a solution.
Until the maintainers patch the vulnerability, website administrators and hosting providers are highly recommended to avoid clicking any suspicious links.