phpMyAdmin - MySQL database manager

phpMyAdmin CSRF vulnerability explained

phpMyAdmin is a MySQL database manager that is quite common, and most of the WordPress users know this software. Recently CSRF (Cross-Site Request Forgery) vulnerability was found by an Indian security researcher Ashutosh Barot in phpMyAdmin versions 4.7.x (before 4.7.7). Soon after the release of information about this vulnerability, users also reacted. It has caused some sharp discussions in the forums. However, the biggest problem is that only a few people tried to understand how it works for real.

CSRF vulnerability explained

First of all, let’s talk about CSRF vulnerability type. Cross-Site Request Forgery vulnerability allows an attacker to trick the logged in web application administrator or any user with sufficient rights to make a predefined action without knowing it. An attacker prepares specially crafted link that has necessary parameters to execute the preset operation. By clicking such link authenticated user sends the malicious request to the web application.

In this case, phpMyAdmin operates with GET requests unprotected from Cross-Site Request Forgery.

Conditions required to exploit phpMyAdmin CSRF vulnerability

It’s the best part about this vulnerability, looks like exploitation of it is a hardly possible due to required conditions. The attack is possible only if the user is logged in to phpMyAdmin and clicks up the crafted link. But there goes another problem. An attacker needs to know several things to prepare the malicious link. He needs a URL of the database, database name and name of the table that he wants to delete (for example). And it’s quite hard to hit logged in user with a proper link at the right time. All of this looks like waiting for a planetary alignment, it happens sometimes, but usually, you might expect it in several thousand years.

So don’t panic. It’s not a critical security issue unless you like to stay logged in on phpMyAdmin and have an obsession to click all links regardless of their origin. Otherwise common sense and compliance with simple security rules will protect you from such attacks.

Alternative attack scenario

However, a combination of several types of attacks could increase a chance of CSRF success. It is possible by combining social engineering and clickjacking attacks. In this case, everything starts with social engineering by tricking a user of phpMyAdmin to click the link on the clickjacking site (UI redress attack) with the hope that user has passwords saved in his browser. After the success of this step, it is possible to continue with a CSFR attack.

To conclude, we would like to remind you that the success of such attacks depends more on the user’s approach to security because these attacks based on the irresponsible behaviour of the web application users. Don’t stay logged in on the application if you’re not using it at the moment and don’t click on suspicious links.

Darius S.

Similar Posts

WordPress site hacked after restore

My WordPress website got hacked after restore. Again! Why?

Quite often we hear about the repeated security incidents related to WordPress sites. This is not something specific to WordPress sites, ...

PCI compliance WooCommerce

What is PCI compliance and do you need it for your WooCommerce store

PCI compliance or more precisely PCI DSS (Payment Card Industry Data Security Standard) developed by the Payment Card Industry Security ...

WordPress / WooCommerce secure

Is WooCommerce Secure? Is WordPress Secure?

The WordPress and WooCommerce websites that we run and maintain can be potentially problematic when you consider that they’re not always ...