Critical vulnerabilities in phpMyAdmin

Share this…


Admins of thousands of websites are waiting for the update launching

According to reports of specialists in digital forensics from the International Institute of Cyber Security, the administrators of phpMyAdmin, one of the most popular and widely used MySQL database management systems, have just launched an updated version of its software with the purpose of patching various vulnerabilities considered critical that could allow a malicious actor to remotely take control of the affected web servers.

The phpMyAdmin project operators had already given notice of updates to their users through a post on their blog, with the intention that website managers, network hosting service providers and other users prepare the best possible way to install critical updates.

“We have resorted to the techniques used by developers of other projects, such as Mediawiki and similar ones, anticipating the release of security patches, allowing phpMyAdmin users to prepare their systems for updating”, mentions Isaac Bennetch, specialist in cybersecurity and digital forensics of phpMyAdmin.

The phpMyAdmin software is a free and open source management tool to operate MySQL databases using a very simple graphical interface through the web browser.

According to experts in digital forensics, almost any web hosting service has the pre-determined installation of phpMyAdmin in its control panels to help website admins to manage in the easiest possible way their databases for websites such as WordPress, Joomla and other content management systems.

In addition to the correction of several bugs, phpMyAdmin developers commented that the update will focus primarily on three critical security flaws present in the software versions prior to 4.8.4:

  • Local file inclusion (CVE-2018-19968)

Local file inclusion vulnerability is present in phpMyAdmin versions between 4.0 and 4.8.3. This flaw could allow a remote attacker to access sensitive content in the server’s local files through its transform function.

  • Forged cross site requests (CSRF)/XSRF (CVE-2018-19969)

phpMyAdmin versions from 4.7.0 to 4.7.6 and 4.8.0 to 4.8.3 include a cross site requests spoofing flaw that, if exploited, would allow a hacker to perform malicious SQL operations. These harmful activities include changes in database names, creating new tables of content, or deleting admin profiles.

  • XSS Vulnerability (CVE-2018-19970)

The software also presents XSS vulnerability in its navigation tree that affects the versions between 4.0 and 4.8.3, so a hacker could inject malicious code into the affected system with specially designed packages.

According to the developers of phpMyAdmin, the 4.8.4 software version will address the three critical vulnerabilities found in previous versions. In addition, the software managers will later launch some additional update patches.

Finally, phpMyAdmin managers strongly recommend that website administrators and hosting providers install the update patches as soon as they are available.