phpMyAdmin is a free tool millions worldwide use to manage MySQL and MariaDB databases over the web. Joomla, WordPress, etc., are some popular products that use phpMyAdmin. Manuel Garcia Cardenas, a security researcher, discovered a CSRF vulnerability that can meddle with the server configurations in phpMyAdmin. A good vulnerability management software can prevent these attacks.
An attacker can delete a configured server in the setup page of a phpMyAdmin panel by tricking a user who is already logged in to the phpMyAdmin page to click on a crafted URL. An attacker only needs to have information about the URL of the targeted server. However, this vulnerability rates medium as a successful attack that does not allow an attacker to delete a database or a table stored on the server but only deletes the server name in the setup page of a phpMyAdmin panel. Vulnerability Management Tool can keep these issues at bay.
This vulnerability reports to the vendor in June 2019 but was not fixed within the 90-day period. The researcher has published the vulnerability tracked as CVE-2019-12922 with the POC.
<p>Deleting Server 1</p>
<img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
style="display:none;" />
The researcher has also mentioned validating tokens on every call as a possible solution to the vulnerability. The vendor has issued no fix for this vulnerability. We will send out updates as and when a fix is releasing for this vulnerability. But in the meantime, we strongly suggest being extremely cautious before clicking on any suspicious links which might trigger the vulnerability.
Affected Products
CSRF vulnerability affects phpMyAdmin versions 4.9.0.1 and before. phpMyAdmin 5.0.0-alpha1 also reports as vulnerable.
Impact
An attacker can trick a user to click on a crafted link and launch CSRF attacks in the logged-in user’s context.
Solution
While no workaround or remediation is currently available, we will continue to monitor this vulnerability and update as and when a fix is available. In the meantime, our general recommendation is to refrain from clicking on any suspicious links.