CVE-2019-12922: 0-day phpMyAdmin Cross-Site Request Forgery Vulnerability Alert

phpMyAdmin is a free software tool written in PHP that is intended to handle the administration of a MySQL or MariaDB database server. You can use phpMyAdmin to perform most administration tasks, including creating a database, running queries, and adding user accounts.

CVE-2019-12922: phpMyAdmin 4.9.0.1 – Cross-Site Request Forgery

Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any server in the Setup page. The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user, in this way making possible a CSRF attack due to the wrong use of HTTP method.

Affected version

• phpMyAdmin <= 4.9.0.1

Poc

Exploit CSRF – Deleting main server

<p>Deleting Server 1</p>
<img src=”
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1″
style=”display:none;” />

Solution

Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests.

Via: packetstormsecurity