New phpMyAdmin Zero-Day Vulnerability Found

By

Researcher publishes details, proof of concept.

phpMyAdmin, despite its popularity, doesn’t have the reputation of being overly secure. Many sysadmins advise not to install it.

Researcher Manuel Garcia Cardenas has found a new vulnerability in phpMyAdmin and published details, along with proof-of-concept, that could be used by bad actors. The flaw has been assigned CVE-2019-12922.

According to Cardenas, the vulnerability is a Cross-Site Request Forgery in phpMyAdmin that allows an attacker to trigger a CSRF attack against a phpMyAdmin user by deleting any server in the Setup page.

“The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf of the user, in this way making possible a CSRF attack due to the wrong use of HTTP method,” Cardenas explains in a post to the Full Disclosure mailing list.

phpMyAdmin maintainers have not yet released a patch for the vulnerability.

09/24/2019

Related content

comments powered by Disqus