Critical CSRF Security Vulnerability in phpMyAdmin Database Tool Patched

A "cross site request forgery" vulnerability in a popular tool for administrating MySQL and MariaDB databases that could lead to data loss has been patched.

phpMyAdmin has been dealing with a critical CSRF security vulnerability.

The timing on this is lousy, coming on a day when every admin and DevOps on the planet is scrambling to patch every Intel machine against Meltdown, while trying to figure out what it will mean to have every server in the data center taking a 5-30 percent performance hit. The problem with security issues is that they're rarely polite enough to surface when it's convenient.

If you've got MySQL or MariaDB running on any of your machines -- and you probably do -- then there's a good chance you're also running phpMyAdmin, a popular free and open source MySQL administration tool.

That means you might have another problem.

According to an advisory released by phpMyAdmin, a recently discovered cross-site request forgery vulnerability needs to be patched. "By deceiving a user to click on a crafted URL," the advisory states, "it is possible to perform harmful database operations such as deleting records, dropping/truncating tables, etc."

Just when you thought it couldn't get any worse.

Since this is a bad news day, I'll skip ahead to the good news. The fix is in on this CSRF issue and all that has to be done is upgrade any instances of phpMyAdmin. And even though this is a critical flaw that could result in loss of data, if you've got your hands full for the moment working around Intel's mess, you're probably going to be all right. Just tell your people to use caution.

But don't wait too long, as this one can be tricky. In a blog, the Indian security researcher who discovered the vulnerability, Ashutosh Barot, reported that the "attack worked even when the user was authenticated in cPanel and phpMyAdmin was closed after use."

Again, the good news: "In order to exploit this vulnerability, user interaction is required. So, severity for this vulnerability is Medium."

The flaw affects phpMyAdmin versions 4.7.x prior to 4.7.7, which is the patched version released just before Christmas. Users are advised to update as soon as possible.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.