phpMyAdmin is an open source bit of software that was made for running MySQL databases remotely. It’s hugely popular. 200,000 downloads a month. Which is why blackhats were over the moon when they heard about a very serious vulnerability in the code.
The vulnerability allowed bad actors to run dangerous database operations – but they did have to persuade admins to click on sneakily made links.
Ashutosh Barot, a researcher based in India found that phpMyAdmin could be hacked by a simple cross-site request forgery (CSRF) flaw that lets the nefarious types delete records, drop tables and other db tasks.
However, for the attack to work, an admin has to be logged in and authenticated *and* has to click on a link that allows the exploit to run. Barot found that if the admin was logged into cPanel and had closed phpMyAdmin after he or she had finished using it the attack would still work. Which isn’t good news.
The reason this works is that the versions of phpMyAdmin that are susceptible to this attack only use GET requests, and fail to provide CSRF safety.
Mr Barot also reported that the sketchy URLs are kept in the history of the admin’s web browser, adding to the security risk even more.
"The URL will contain database name and table name as a GET request was used to perform DB operations, URLs are stored at various places such as browser history, SIEM logs, firewall logs, ISP logs, etc. This URL is always visible at client side, it can be a serious issue if you are not using SSL (some information about your previous queries were stored in someone’s logs!). Wherever the URL is being saved, an adversary can gain some information about your database."
Thanks to this finding, the developers of phpMyAdmin fixed the issue in the 4.7.7 release of the software. All users of 4.7.x must patch immediately or update to the latest version.