A cybersecurity research effort has revealed an unpatched zero-day vulnerability in phpMyAdmin, a widely-utilized application for managing MySQL and MariaDB databases. This tool is integral for many websites built on content management systems such as WordPress and Joomla.
The vulnerability was identified by security researcher Manuel Garcia Cardenas, who characterized it as a cross-site request forgery (CSRF) flaw. CSRF attacks typically involve deceiving authenticated users into performing unintended actions, potentially compromising the integrity of their systems.
Documented as CVE-2019-12922, this vulnerability has been assigned a medium severity rating due to its specific limitations. An attacker can exploit this flaw to delete any configured server within the phpMyAdmin panel on a compromised server, but cannot delete databases or tables stored on it. The attack vector requires an attacker to send a maliciously crafted URL to target web administrators who are already logged into their phpMyAdmin panel, leading them to inadvertently delete the server configuration.
Cardenas notes that the simplicity of this exploit lies in its reliance on deceiving users into clicking a fraudulent link without needing detailed knowledge about the targeted databases. As he states, “The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf of the user, thus enabling a CSRF attack due to the improper use of HTTP methods.”
The vulnerability impacts phpMyAdmin versions up to and including 4.9.0.1, identified as the latest stable release when this information came to light. It also exists in the 5.0.0-alpha1 version released in July 2019. Cardenas, who reported this issue responsibly to phpMyAdmin maintainers in June 2019, decided to disclose the details after waiting 90 days for a patch that was not forthcoming.
The recommended mitigation involves implementing robust validation protocols for token variables in every request, similar to other existing security measures in phpMyAdmin. Given the straightforward nature of this vulnerability, it is essential for website administrators and hosting providers to exercise caution by refraining from clicking on suspicious links until a patch is deployed.
In terms of potential adversary tactics delineated by the MITRE ATT&CK framework, this vulnerability may fall under initial access and execution techniques, particularly CSRF attacks, which enable unauthorized commands to be transmitted from a user that the server trusts. As this situation unfolds, businesses utilizing phpMyAdmin should remain vigilant in protecting their systems against this type of exploitation.