phpMyAdmin - MySQL database manager

phpMyAdmin CSRF vulnerability explained

phpMyAdmin is a MySQL database manager that is quite common, and most of the WordPress users know this software. Recently CSRF (Cross-Site Request Forgery) vulnerability was found by an Indian security researcher Ashutosh Barot in phpMyAdmin versions 4.7.x (before 4.7.7). Soon after the release of information about this vulnerability, users also reacted. It has caused some sharp discussions in the forums. However, the biggest problem is that only a few people tried to understand how it works for real.

CSRF vulnerability explained

First of all, let’s talk about CSRF vulnerability type. Cross-Site Request Forgery vulnerability allows an attacker to trick the logged in web application administrator or any user with sufficient rights to make a predefined action without knowing it. An attacker prepares specially crafted link that has necessary parameters to execute the preset operation. By clicking such link authenticated user sends the malicious request to the web application.

In this case, phpMyAdmin operates with GET requests unprotected from Cross-Site Request Forgery.

Conditions required to exploit phpMyAdmin CSRF vulnerability

It’s the best part about this vulnerability, looks like exploitation of it is a hardly possible due to required conditions. The attack is possible only if the user is logged in to phpMyAdmin and clicks up the crafted link. But there goes another problem. An attacker needs to know several things to prepare the malicious link. He needs a URL of the database, database name and name of the table that he wants to delete (for example). And it’s quite hard to hit logged in user with a proper link at the right time. All of this looks like waiting for a planetary alignment, it happens sometimes, but usually, you might expect it in several thousand years.

So don’t panic. It’s not a critical security issue unless you like to stay logged in on phpMyAdmin and have an obsession to click all links regardless of their origin. Otherwise common sense and compliance with simple security rules will protect you from such attacks.

Alternative attack scenario

However, a combination of several types of attacks could increase a chance of CSRF success. It is possible by combining social engineering and clickjacking attacks. In this case, everything starts with social engineering by tricking a user of phpMyAdmin to click the link on the clickjacking site (UI redress attack) with the hope that user has passwords saved in his browser. After the success of this step, it is possible to continue with a CSFR attack.

To conclude, we would like to remind you that the success of such attacks depends more on the user’s approach to security because these attacks based on the irresponsible behaviour of the web application users. Don’t stay logged in on the application if you’re not using it at the moment and don’t click on suspicious links.

Darius S.

Similar Posts

Flagged Website - Google Safe Browsing

What To Do If Your Website Is Flagged For Malware By Google

Google is very pro-active when it comes to protecting the safety of their customers. They scan millions of websites each day, looking for ...

WordPress vulnerability that allows file deletion

Latest WordPress vulnerability disclosed and it poses a danger to all versions including 4.9.6

Yesterday a security research team from RIPSTECH disclosed WordPress vulnerability that affects all latest WordPress versions including the ...

SEO spam on hacked WordPress sites

What Is SEO Spam And How Can It Hurt Your WordPress Site

Almost half of all malware attacks against websites involve SEO spam. This type of attack is performed by Black Hat SEO’s and hackers ...