phpMyAdmin, one of the most widely used applications for managing the MySQL database, has been found to contain a serious security flaw. The vulnerability could grant remote access to attackers allowing them to carry out dubious database operations by luring admins into clicking on a specially crafted link.
This makes the vulnerability a cross-site request forgery (XSRF) one and it affects phpMyAdmin versions prior to version 4.7.7, meaning that versions older than 4.7.0 are not affected. The flaw which has been assigned the CVE-2017-1000499 number was unearthed by security researcher Ashutosh Barot.
CVE-2017-1000499 In Detail
The vulnerability could be triggered “by deceiving a user to click on a crafted URL”, which may lead to the performance of harmful database operations such as deleting records, dropping/truncating tables, and such.
According to the researcher himself, “if a user executes a query on the database by clicking insert, DROP, etc. buttons, the URL will contain database name and table name.” The active exploitation of this flaw can lead to various outcomes such as disclosure of sensitive information. This disclosure is possible because the URL is stored at various places like browser history, SIEM logs, Firewall logs, ISP logs, among others.
The vulnerability is quite dangerous. First of all, phpMyAdmin is a free and open-source admin tool for MySQL and MariaDB. It is popular and widely used to manage databases for websites that were created via CMS platforms like WordPress and Joomla. Furthermore, hosting providers are also known to use phpMyAdmin for an easy way to organize customers’ databases.
The researcher who discovered CVE-2017-1000499 also demonstrated in a video how a remote hacker can trick database admins into deleting an entire table from the DB just by clicking on a specially crafted link.
A feature of phpMyAdmin was using a GET request and after that POST request for Database operations such as DROP TABLE table_name; GET requests must be protected against CSRF attacks. In this case, POST requests were used which were sent through URL (for bookmarking purpose may be); it was possible for an attacker to trick a database admin into clicking a button and perform a drop table database query of the attacker’s choice.
Fortunately, it is not that easy to exploit CVE-2017-1000499 and to carry out a CSRF attack as the attacker should know the name of the targeted database and table.
The researcher reported CVE-2017-1000499 to the developers of phpMyAdmin who were quick enough to confirm the flaw and address it in phpMyAdmin 4.7.7. If you believe you may be affected by the flaw, it is highly advisable to update to the latest version.