phpMyAdmin is a free tool used by millions around the world to manage MySQL and MariaDB databases over the web. Joomla, WordPress, etc are some of the popular products which use phpMyAdmin. Manuel Garcia Cardenas, a security researcher, discovered a CSRF vulnerability which can meddle with the server configurations in phpMyAdmin.

An attacker can delete a configured server in the setup page of a phpMyAdmin panel by tricking a user who is already logged in to the phpMyAdmin page, to just click on a crafted URL. An attacker only needs to have information about the URL of the targeted server. However, this vulnerability has been rated medium as a successful attack does not allow an attacker to delete a database or a table stored on the server but only deletes the server name in the setup page of a phpMyAdmin panel.

This vulnerability was reported to the vendor in June 2019, but was not fixed within the 90-day period. The researcher has published the vulnerability tracked as CVE-2019-12922 with the POC.

<p>Deleting Server 1</p>
<img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
style="display:none;" />

The researcher has also mentioned validating of tokens on every call as a possible solution to the vulnerability. The vendor has issued no fix for this vulnerability. We will send out updates as and when a fix is released for this vulnerability. But in the meantime, we strongly suggest to be extremely cautious before clicking on any suspicious links which might trigger the vulnerability.


Affected Products

phpMyAdmin versions 4.9.0.1 and before. phpMyAdmin 5.0.0-alpha1 has also been reported as vulnerable.


Impact

An attacker can trick a user to click on a crafted link and launch CSRF attacks in the context of the logged in user.


Solution
While there is no workaround or remediation available currently, we will continue to monitor this vulnerability and update as and when a fix is available. In the meantime, our general recommendation is to refrain from clicking on any suspicious links.


 

Summary
ALERT: phpMyAdmin Servers vanish with a click!
Article Name
ALERT: phpMyAdmin Servers vanish with a click!
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *