A researcher has just published a zero-day security bug in one of the web’s most popular database administration software packages.
The bug makes it possible for an attacker to delete a server by hijacking a user’s account in phpMyAdmin, a 21-year-old open-source tool used to manage MySQL and MariaDB databases.
The flaw is a classic cross-site request forgery (CSRF). It’s a long-used attack in which an attacker can force a logged-in user’s browser to perform malicious actions such as changing their account details. A browser request includes any details associated with the site, such as the user’s session cookie, making it difficult to distinguish between the real request and a forged one.
According to the Full Disclosure listing, an attacker can create a fake hyperlink containing the malicious request. It mentions that the CSRF attack is possible because of an incorrectly used HTTP method.
The researcher who discovered it, Manuel Garcia, explained to us:
The post/get requests are not validated. To avoid the CSRF attacks you need to implement a token.
Using tokens is a common protection against CSRF bugs, as OWASP explains in its CSRF prevention cheat sheet. In his Full Disclosure bug report, Garcia recommends that a token variable be validated in each call, adding that other phpMyAdmin requests already do this. So the call made from the setup page is an anomaly.
The bug hasn’t been patched and affects version 126.96.36.199 of phpMyAdmin at the time of writing. Garcia said that he told phpMyAdmin about it on 13 June and followed up on 16 July. When a patch hadn’t appeared on 13 September, exactly three months after initial submission, he published it. So he seems to have followed responsible disclosure guidelines.
phpMyAdmin had acknowledged the bug and explained to Garcia that it would inform him when the bug was fixed. Project co-ordinator Isaac Bennetch told us:
We discussed this report internally and felt it was better included as part of a bug fix release rather than issuing a security hotfix. We consider the attack vector quite small and the possible damage that could be done to be of an inconvenient nature rather than a security concern.
What to do?
Bennetch added last night that the team will fix the bug that Garcia discovered in the release of version 4.9.1, which will be available “in less than a day”.
Until then, administrators can protect themselves by logging out of their accounts after they’ve completed their work. They might also want to look at isolating their browsing activities, perhaps using a different browser that they never use to log into other online services.