XSRF vulnerability in phpMyAdmin; there is no patch to fix this flaw so far

Vulnerability testing specialists have reported the presence of an unpatched zero-day vulnerability in the software of phpMyAdmin, one of the world’s most widely used MySQL and MariaDB database management applications. In addition to reporting the vulnerability, the experts published some details of the proof-of-concept for its exploitation.

As mentioned before, phpMyAdmin is a free and open source tool for managing MySQL and MariaDB, widely used to manage databases of websites created in products like Joomla, WordPress, among other Content Management Systems (CMS).

Manuel Garcia, an expert in cybersecurity and vulnerability testing, was in charge of the finding. In his report, the expert states that this is a cross-site request forgery (XSRF) vulnerability, which involves tricking an authenticated user into executing malicious actions on the target system.

The vulnerability, tracked as CVE-2019-12922, was considered to be of medium severity, mainly because of its limited scope, as its exploitation only allows threat actors to delete servers configured on the configuration page of a phpMyAdmin panel on the victims’ server.

However, the vulnerability testing expert points out that this attack does not allow hackers to delete databases without interaction from victims, as they rely on sending specially crafted URLs to specific content managers with phpMyAdmin active sessions. “The hacker trying to exploit this flaw must trick the victim into deleting the configured server without realizing it,” Garcia says.

In addition, “a hacker could easily create a fake hyperlink containing the request that they want to execute through the victim, making possible the XSRF attack due to the incorrect use of the HTTP method,” the expert added. 

The vulnerability is present in all versions of phpMyAdmin up to the latest (4.9.0.1). In addition, the expert added that the flaw also resides in phpMyAdmin 5.0.0-alpha1, version released about a month ago. The vulnerability was discovered last June; the phpMyAdmin security team was notified in accordance with established procedures.

However, the company failed in its attempt to release a patch to fix the vulnerability, so the specialist decided to publicly disclose his findings, in addition to the proof-of-concept, after the 90-day period after submitting the report to the company was fulfilled.

As the flaw remains unpatched, vulnerability testing specialists from the International Institute of Cyber Security (IICS) recommend resorting to some workarounds, such as implementing the validation of the token on each call, at least until the security patch is ready.

In addition, it is strongly recommended that administrators of websites managed with these CMS refrain from clicking on suspicious or unverified links at least until the phpMyAdmin security team manages to develop a patch to fix this flaw.