By According to the update published just before the vacations by the designers of phpMyAdmin fixes a severe vulnerability that can be exploited to execute damaging database processes by getting directed administrators to connect on individually crafted links.
phpMyAdmin is one of the free and open source tools developed for organizing MySQL databases over the Internet. phpMyAdmin is the top MySQL database administration tools having more than 200,000 downloads on monthly basis. A researcher from India, Ashutosh Barot revealed that phpMyAdmin is influenced by a Cross-Site Request Forgery (CSRF) error that can be exploited by a cyberpunk to drop tables, delete records, and execute other database processes.
A genuine admin requires clicking on a particularly crafted URL for the attack to work. Though, Barot recorded that the attack efforts as long as the user is signed in to the cPanel web hosting administration interface, even if phpMyAdmin has been shut down after use. These sorts of attacks are likely due to the element that susceptible versions of phpMyAdmin practice GET demands for database processes, but fail to deliver CSRF security.
The Indian researcher also revealed that the URLs connected with database processes executed via phpMyAdmin are kept in the web browser history, which can position security threats.
“The URL will contain database name and table name as a GET request was used to perform DB operations,” Barot said in a blog post published on Friday. “URLs are stored at various places such as browser history, SIEM logs, firewall logs, ISP logs, etc. This URL is always visible at client side, it can be a serious issue if you are not using SSL (some information about your previous queries were stored in someone’s logs!). Wherever the URL is being saved, an adversary can gain some information about your database.”
phpMyAdmin designers patched the CSRF vulnerability discovered by Barot with the announcement of version 4.7.7. All preceding 4.7.x versions are obstructed by the security hole, which phpMyAdmin has identified as harmful. Users have been recommended to update their installations or apply the available fix.
