New phpMyAdmin Zero-Day Vulnerability Found
phpMyAdmin, despite its popularity, doesn’t have the reputation of being overly secure. Many sysadmins advise not to install it.
Researcher Manuel Garcia Cardenas has found a new vulnerability in phpMyAdmin and published details, along with proof-of-concept, that could be used by bad actors. The flaw has been assigned CVE-2019-12922.
According to Cardenas, the vulnerability is a Cross-Site Request Forgery in phpMyAdmin that allows an attacker to trigger a CSRF attack against a phpMyAdmin user by deleting any server in the Setup page.
“The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf of the user, in this way making possible a CSRF attack due to the wrong use of HTTP method,” Cardenas explains in a post to the Full Disclosure mailing list.
phpMyAdmin maintainers have not yet released a patch for the vulnerability.