Critical Flaw in phpMyAdmin

By

The vulnerability allows any remote attacker to damage MySQL databases.

A security researcher has found a critical flaw in phpMyAdmin that allows an attacker to damage databases. According to The Hacker News, “The vulnerability is a cross-site request forgery (CSRF) attack and affects phpMyAdmin versions 4.7.x (prior to 4.7.7).”

The vulnerability was discovered by researcher, Ashutosh Barot. Barot wrote in a blog post, “In this case (phpMyAdmin), a database admin/Developer can be tricked into performing database operations like DROP TABLE using CSRF. It can cause devastating incidents! The vulnerability allows an attacker to send a crafted URL to the victim and if she (authenticated user) clicks it, the victim may perform a DROP TABLE query on her database.”

On its advisory page, phpMyAdmin wrote that “by deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables, etc.” phpMyAdmin project has already released a patch and suggests users either apply the patch to the existing installs or upgrade to phpMyAdmin 4.7.7 or newer.

phpMyAdmin is an open source tool for managing MySQL over the Web. It supports a wide range of functions, including management of database, tables, columns, relations, indexes, users, permissions, etc. via the user interface, instead of using a command-line interface. This ease of use has made phpMyAdmin a very popular tool for hosting providers.

01/02/2018

Related content

  • News for Admins
    Electron app vulnerability, WordPress sites infected by malware, Torvalds calls Intel's patch garbage, AMT flaw in Intel chips allows attacker to create a backdoor, and first malware for Mac OS in 2018.
  • Chive

    Generations of web admins have used phpMyAdmin or SQL Buddy to communicate with their databases. Newcomer Chive has the potential to send the legacy tools into early retirement, thanks to its state-of-the-art Ajax interface and impressive feature scope.

  • Protecting your web application infrastructure with the Nginx Naxsi firewall
    One of the best-kept secrets about the popular Nginx web server is the Naxsi web application firewall.
comments powered by Disqus