phpMyAdmin is a MySQL database manager that is quite common, and most of the WordPress users know this software. Recently CSRF (Cross-Site Request Forgery) vulnerability was found by an Indian security researcher Ashutosh Barot in phpMyAdmin versions 4.7.x (before 4.7.7). Soon after the release of information about this vulnerability, users also reacted. It has caused some sharp discussions in the forums. However, the biggest problem is that only a few people tried to understand how it works for real.
CSRF vulnerability explained
First of all, let’s talk about CSRF vulnerability type. Cross-Site Request Forgery vulnerability allows an attacker to trick the logged in web application administrator or any user with sufficient rights to make a predefined action without knowing it. An attacker prepares specially crafted link that has necessary parameters to execute the preset operation. By clicking such link authenticated user sends the malicious request to the web application.
In this case, phpMyAdmin operates with GET requests unprotected from Cross-Site Request Forgery.
Conditions required to exploit phpMyAdmin CSRF vulnerability
It’s the best part about this vulnerability, looks like exploitation of it is a hardly possible due to required conditions. The attack is possible only if the user is logged in to phpMyAdmin and clicks up the crafted link. But there goes another problem. An attacker needs to know several things to prepare the malicious link. He needs a URL of the database, database name and name of the table that he wants to delete (for example). And it’s quite hard to hit logged in user with a proper link at the right time. All of this looks like waiting for a planetary alignment, it happens sometimes, but usually, you might expect it in several thousand years.
So don’t panic. It’s not a critical security issue unless you like to stay logged in on phpMyAdmin and have an obsession to click all links regardless of their origin. Otherwise common sense and compliance with simple security rules will protect you from such attacks.
Alternative attack scenario
However, a combination of several types of attacks could increase a chance of CSRF success. It is possible by combining social engineering and clickjacking attacks. In this case, everything starts with social engineering by tricking a user of phpMyAdmin to click the link on the clickjacking site (UI redress attack) with the hope that user has passwords saved in his browser. After the success of this step, it is possible to continue with a CSFR attack.
To conclude, we would like to remind you that the success of such attacks depends more on the user’s approach to security because these attacks based on the irresponsible behaviour of the web application users. Don’t stay logged in on the application if you’re not using it at the moment and don’t click on suspicious links.