Clicking on the wrong hyperlink could let attackers delete servers

A gaping cross-site request forgery (CSRF) vulnerability in phpMyAdmin makes it possible to delete any server in the "Setup Page”.

The CVE-2019-12922 bug in phpMyAdmin, a free software tool designed to manage the administration of MySQL over the web, stems from a failure in the software to verify the authenticity of requests.

This shortcoming allows an attacker to potentially delete a system, providing they are able to trick its administrator into clicking on a booby-trapped link.

Manuel Garcia Cardenas, the security researcher and pen tester who discovered the bug, explains in a post to the Full Disclosure mailing list: “The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user, in this way making possible a CSRF attack due to the wrong use of HTTP method.”

phpMyAdmin versions up to and including 4.9.0.1 – the latest version supported version – are all vulnerable.

The Daily Swig reached out to phpMyAdmin's developers for clarification on whether the bug affected the latest version of their software.

We also contacted Garcia, who confirmed the latest version of the software was still vulnerable.

“The developers did not patch the vulnerability yet,” Garcia told The Daily Swig. “I notified on the 13th of June, request again on the 16th of July... and released the full disclosure on the 13th of September (90 days later of the first notify).”

“They did not correct in 5.0.0-alpha1,” he added.

Garcia offered admins one possible workaround, to “implement in each call the validation of the token variable, as already done in other phpMyAdmin requests.”

Although the vulnerability allows for the disruption of service it does not give rise to remote code execution-style attacks.

CSRF is a well-known category of web security bug so its appearance in such a widely used software tool as phpMyAdmin is nonetheless somewhat disconcerting.