phpMyAdmin is a free tool used by millions around the world to manage MySQL and MariaDB databases over the web. Joomla, WordPress, etc are some of the popular products which use phpMyAdmin. Manuel Garcia Cardenas, a security researcher, discovered a CSRF vulnerability which can meddle with the server configurations in phpMyAdmin.
An attacker can delete a configured server in the setup page of a phpMyAdmin panel by tricking a user who is already logged in to the phpMyAdmin page, to just click on a crafted URL. An attacker only needs to have information about the URL of the targeted server. However, this vulnerability has been rated medium as a successful attack does not allow an attacker to delete a database or a table stored on the server but only deletes the server name in the setup page of a phpMyAdmin panel.
<p>Deleting Server 1</p> <img src=" http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1" style="display:none;" />
The researcher has also mentioned validating tokens on every call as a possible solution to the vulnerability. The vendor has issued no fix for this vulnerability. We will send out updates as and when a fix is released for this vulnerability. But in the meantime, we strongly suggest being extremely cautious before clicking on any suspicious links which might trigger the vulnerability.
csrf vulnerability affected in phpMyAdmin versions 126.96.36.199 and before. phpMyAdmin 5.0.0-alpha1 has also been reported as vulnerable.
An attacker can trick a user to click on a crafted link and launch CSRF attacks in the context of the logged in user.
While there is no workaround or remediation available currently, we will continue to monitor this vulnerability and update as and when a fix is available. In the meantime, our general recommendation is to refrain from clicking on any suspicious links.