Critical SQL injection vulnerability affecting phpMyAdmin

Vulnerability testing specialists reported the finding of a security flaw in phpMyAdmin, one of the world’s most widely used MySQL database management applications, present in multiple versions of the tool (from 4.7.7 to 4.9.2).

According to the report, this is an executable SQL injection vulnerability through the designer function using a username specially created for exploiting the flaw.

The vulnerability, tracked as CVE-2019-18622, has already been notified to the team behind phpMyAdmin, which received the report and began working on possible solutions immediately.

Plesk servers are not affected in their default settings. On the other hand, Plesk does not allow you to create database users that use special characters for your username, which is a fundamental part of this attack.

According to vulnerability testing specialists, only DB Server Admin implementations allow the creation of database users directly through MySQL, in addition, it is necessary to emphasize that SQL injection is only possible in the database phpMyAdmin data.

In their report on the bug, the team behind phpMyAdmin recognizes that the vulnerability is of high severity, so they encourage potentially affected users to implement the necessary security measures as soon as possible.

To prevent any exploit scenario, it is recommended to upgrade to phpMyAdmin 4.9.2 or any later version; the patch for previous versions is available at the following GitHub link. In case of doubts or comments, it is recommended to contact the phpMyAdmin team directly through its website. For users created through Plesk, no additional security measures are required.

Multiple security issues have recently been reported in this tool. A couple of months ago, vulnerability testing specialists at the International Institute of Cyber Security (IICS) reported the presence of an uncorrected zero-day vulnerability in phpMyAdmin; this Cross-Site Request Forgery (XSRF) vulnerability depended on tricking an authenticated user into executing malicious actions on the target system.

Tracked as CVE-2019-12922, the flaw was considered to be of medium severity, due to its limited scope, as the exploit only allowed hackers to delete servers configured on the setup page of a phpMyAdmin panel on the server of the victim.