Most of you are familiar about Cross Site Request Forgery (CSRF) vulnerability, it is one of the most common vulnerabilities; it was listed in OWASP Top 10 – 2013.
Previously, I had found and reported CSRF in an Intel website, by exploiting that vulnerability an attacker could remove items from an authenticated user’s shopping cart. such actions are common attack scenarios regarding CSRF.
In this case (phpMyAdmin), a database admin/Developer can be tricked into performing database operations like DROP TABLE using CSRF. It can cause devastating incidents! The vulnerability allows an attacker to send a crafted URL to the victim and if she (authenticated user) clicks it, the victim may perform a DROP TABLE query on her database.
What is phpMyAdmin?
phpMyAdmin is a free and open source administration tool for MySQL and MariaDB. As a portable web application written primarily in PHP, it has become one of the most popular MySQL administration tools, especially for web hosting providers using cPanel.
phpMyAdmin is widely used to manage the database for various websites created with WordPress, Joomla and many other CMS.
What is CSRF vulnerability?
CSRF stands for Cross Site Request Forgery.
According to OWASP, “A CSRF attack forces a logged-on victim’s browser to send a forged HTTP request, including the victim’s session cookie and any other automatically included authentication information, to a vulnerable web application. This allows the attacker to force the victim’s browser to generate requests the vulnerable application thinks are legitimate requests from the victim. ”
In simple terms, An attacker can create a crafted URL and lure the victims (with active session) to perform dangerous operations without their knowledge.
CSRF is a critical vulnerability and was listed in OWASP Top 10 -2013. A feature of phpMyAdmin was using Get requests for Database operations such as DROP TABLE table_name; Get requests must be protected against CSRF attacks. so, in this case, it is possible for an attacker to trick a database admin into clicking a button and perform a database query of the attacker’s choice.
The URL for performing database operations was being saved in browser history. If a user executes a query on the database by clicking insert, DROP etc. buttons, the URL will contain database name and table name.This vulnerability can result into disclosure of sensitive information as the URL is stored at various places such as browser history, SIEM logs, Firewall Logs, ISP Logs etc.
This CSRF attack worked even when the user was authenticated in cPanel and phpMyAdmin was closed after use. In order to exploit this vulnerability, user interaction is required. so, severity for this vulnerability is Medium.
Here’s the proof of concept video for this vulnerability: