Critical Flaw in phpMyAdmin


The vulnerability allows any remote attacker to damage MySQL databases.

A security researcher has found a critical flaw in phpMyAdmin that allows an attacker to damage databases. According to The Hacker News, “The vulnerability is a cross-site request forgery (CSRF) attack and affects phpMyAdmin versions 4.7.x (prior to 4.7.7).”

The vulnerability was discovered by researcher, Ashutosh Barot. Barot wrote in a blog post, “In this case (phpMyAdmin), a database admin/Developer can be tricked into performing database operations like DROP TABLE using CSRF. It can cause devastating incidents! The vulnerability allows an attacker to send a crafted URL to the victim and if she (authenticated user) clicks it, the victim may perform a DROP TABLE query on her database.”

On its advisory page, phpMyAdmin wrote that “by deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables, etc.” phpMyAdmin project has already released a patch and suggests users either apply the patch to the existing installs or upgrade to phpMyAdmin 4.7.7 or newer.

phpMyAdmin is an open source tool for managing MySQL over the Web. It supports a wide range of functions, including management of database, tables, columns, relations, indexes, users, permissions, etc. via the user interface, instead of using a command-line interface. This ease of use has made phpMyAdmin a very popular tool for hosting providers.


Related content

  • New phpMyAdmin Zero-Day Vulnerability Found
  • News for Admins
    Electron app vulnerability, WordPress sites infected by malware, Torvalds calls Intel's patch garbage, AMT flaw in Intel chips allows attacker to create a backdoor, and first malware for Mac OS in 2018.
  • Chive

    Generations of web admins have used phpMyAdmin or SQL Buddy to communicate with their databases. Newcomer Chive has the potential to send the legacy tools into early retirement, thanks to its state-of-the-art Ajax interface and impressive feature scope.

comments powered by Disqus