A zero-day cross-site request forgery has been found in phpMyAdmin by a security researcher and pentester named Manuel Garcia Cardenas. phpMyAdmin is a free and open source administration tool for MySQL and MariaDB that’s widely used to manage the database for websites created with WordPress, Joomla, and many other content management platforms.

The vulnerability discovered is a cross-site request forgery (CSRF) flaw, also known as XSRF, a well-known attack wherein attackers trick authenticated users into executing an unwanted action. It allows an attacker to delete any server in the setup page using CSRF. Severity in this attack is not in a critical level since it doesn’t allow attacker to delete or alter any stored data in the databases and it affects only the elements in the setup page. The flaw affects phpMyAdmin versions up to and including 4.9.0.1. It also resides in phpMyAdmin 5.0.0-alpha1, which was released in July 2019.

Cardenas discovered this vulnerability back in June 2019, and also responsibly reported it to the project maintainers. However, after phpMyAdmin maintainers failed to patch the vulnerability within 90 days of being notified, the researcher decided to release the vulnerability details and PoC to the public on 13 September. According to the researcher’s post to the Full Disclosure mailing list “The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user, in this way making possible a CSRF attack due to the wrong use of HTTP method.”

Steps for intrusion: An attacker only has to send a crafted URL to a logged-in targeted web administrators on the same browser. As soon as they click on it, it will have them tricked for unknowingly deleting the configured server.

• First, the intruder has to be authenticated; after this procedure, the SQL query will create a session.
• Invoking the ../../../../../…./var/lib/sessionId, the attack can be performed.

Solution Suggested: “Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests,” the researcher suggests.

REVISION HISTORY:

June 13, 2019 1: Initial release

September 13, 2019 2: Last revision

DISCLOSURE TIMELINE:

June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas

June 13, 2019 2: Send to vendor

July 16, 2019 3: New request to vendor without fix date

September 13, 2019 4: Sent to lists

CVE ID: 2019-12922

Severity: 4,3/10 (CVSS Base Score)

PROOF OF CONCEPT:

Exploit CSRF – Deleting main server

<p>Deleting Server 1</p>

<img src=”

http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1″

style=”display:none;” />