ASA-2018-00072 – phpMyAdmin: XSRF/CSRF vulnerability due to application receiving parameters via GET


Allele Security Alert

ASA-2018-00072

Identifier(s)

ASA-2018-00072, CVE-2018-19969, PMASA-2018-7

Title

XSRF/CSRF vulnerability due to application receiving parameters via GET

Vendor(s)

The phpMyAdmin Project

Product(s)

phpMyAdmin

Affected version(s)

phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3

Fixed version(s)

phpMyAdmin 4.8.4

Proof of concept

Unknown

Description

By deceiving a user to click on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.

Technical details

Unknown

Credits

Daniel Le Gall (SCRT), Mustafa Hasan, SI9INT and Prasetia Ari

Reference(s)

Security fix: phpMyAdmin 4.8.4 is released
https://www.phpmyadmin.net/news/2018/12/11/security-fix-phpmyadmin-484-released/

phpMyAdmin – Security – PMASA-2018-7
https://www.phpmyadmin.net/security/PMASA-2018-7/

Retrieve parameters from $_POST in database and table operation pages
https://github.com/phpmyadmin/phpmyadmin/commit/f049c127ca21885ab0856a8c562ed1c74961bb5d

Fix missing parameter
https://github.com/phpmyadmin/phpmyadmin/commit/be0660e4c46a1f3f74d86bac41419d5804201502

Retrieve parameters from $_POST in central columns page
https://github.com/phpmyadmin/phpmyadmin/commit/77ea7024bfa75659dea20dacb225f0d48414fd02

Retrieve parameters from $_POST in tracking pages
https://github.com/phpmyadmin/phpmyadmin/commit/ad7f7fd80192bd9f7f22f4d8d9a8818dd69f3e0c

Retrieve parameters from $_POST in server_databases page
https://github.com/phpmyadmin/phpmyadmin/commit/5d781422fb9f0af54e9cf9c85371b4d8c02ac56d

Fix #249 CSRF to CREATE TABLE query
https://github.com/phpmyadmin/phpmyadmin/commit/d6e04ca09b205cbc1e00f26da9d1f3690287a4af

Retrieve parameters from $_POST in routines
https://github.com/phpmyadmin/phpmyadmin/commit/d9279982a9c24456c061ecc700f69610424e854e

Fix routines tests
https://github.com/phpmyadmin/phpmyadmin/commit/3ac68d2edaafea38c3c45e364933456540603c09

Parameter item_type should be read from $_REQUEST as it can be in both $_POST and $_GET
https://github.com/phpmyadmin/phpmyadmin/commit/98ef759676cfc60db56aff657d5f66f818780872

Retrieve parameters from $_POST in events
https://github.com/phpmyadmin/phpmyadmin/commit/faced0a344a3e3c2cfe645d400fcddc54dcc7f4e

Retrieve parameters from $_POST in triggers
https://github.com/phpmyadmin/phpmyadmin/commit/d0eede7c566d97f92b5fda1560fa07b583ffc0a4

Retrieve parameters from $_POST in view create/edit
https://github.com/phpmyadmin/phpmyadmin/commit/42561e689613e6712920bada4e2f957a96252f97

Fix create view dialog not sending parameters as POST
https://github.com/phpmyadmin/phpmyadmin/commit/ca06ecc87681e7d547271fdbd06816a2bee9be80

Retrieve parameters from $_POST in insert/edit pages
https://github.com/phpmyadmin/phpmyadmin/commit/3d9ed655cc6107bd0e8e6d5f5a5f58d0fc791564

Retrieve parameters from $_POST in table_row_action
https://github.com/phpmyadmin/phpmyadmin/commit/b72e55acf82a67fcb9d8eb341878f8e9fc7af295

Retrieve parameters from $_POST in table structure
https://github.com/phpmyadmin/phpmyadmin/commit/9219b28f474f032621b3cc827d12407673e47b08

Retrieve parameters from $_POST in database QBE
https://github.com/phpmyadmin/phpmyadmin/commit/6c03ebad38a64ac1c53f9bae9e9c2d5e0d556bfd

Fix phpmyadmin-security#254 CSRF allowing password reset
https://github.com/phpmyadmin/phpmyadmin/commit/7d3f203131231d09a7485c38355f5cb546cbf897

Retrieve parameters from $_POST in designer
https://github.com/phpmyadmin/phpmyadmin/commit/2a749337bf9e1319f5d0bc62aae3f79f8f9080d0

Retrieve parameters from $_POST in user/Privileges pages
https://github.com/phpmyadmin/phpmyadmin/commit/35d87e607227c4ea0d1613ad39c5bca75b726fca

Fix test failures
https://github.com/phpmyadmin/phpmyadmin/commit/80eaee9c0a1fadc4c7f7ab3838b3fe5eb15a7830

Retrieve parameters from $_POST in mult_submits.inc.php
https://github.com/phpmyadmin/phpmyadmin/commit/259cbc6ab1d61afb3a657ad4a787eefe8278ec29

Retrieve parameters from $_POST in export
https://github.com/phpmyadmin/phpmyadmin/commit/c1cdaac2f465dd6b9e17f9f35fd46861ad703a6d

Retrieve parameters from $_POST in tbl_addfield
https://github.com/phpmyadmin/phpmyadmin/commit/1edf1aced6ad963c9f282666150f7f36f1ca449e

Retrieve parameters from $_POST in import
https://github.com/phpmyadmin/phpmyadmin/commit/bf3e6c3a77ff5d1fc2a15bba7f0a66e7fcb357e6

Retrieve parameters from $_POST in normalization
https://github.com/phpmyadmin/phpmyadmin/commit/827e4dcf2ce738d7b320682e97e29ad448f9147f

Retrieve parameters from $_POST in navigation
https://github.com/phpmyadmin/phpmyadmin/commit/b4e1862740b3412aab2f7079649a705f317cb1b0

Retrieve parameters from $_POST in sql pages
https://github.com/phpmyadmin/phpmyadmin/commit/5109c1787e111a87521db94c93d4cb2c46cc29f4

Retrieve parameters from $_POST in ajax.php
https://github.com/phpmyadmin/phpmyadmin/commit/88e162b651dfbd64c98ac40976023c4b7d1438bb

Retrieve parameters from $_POST in browse foreigners
https://github.com/phpmyadmin/phpmyadmin/commit/e7e7d56c759366c61824b67f48ec0ba4d5507105

Retrieve parameters from $_POST in chk_rel
https://github.com/phpmyadmin/phpmyadmin/commit/593b2571cd8ba5110cd39fee896ea172ca2c81d5

Retrieve parameters from $_POST in error report
https://github.com/phpmyadmin/phpmyadmin/commit/737ac997f9271d15f08b20893c9174a312027b74

Retrieve parameters from $_POST in GIS data editor
https://github.com/phpmyadmin/phpmyadmin/commit/0fe1a3bea88a553407930f83380b88d7591d2bdd

Retrieve parameters from $_POST in server_status_processes.php
https://github.com/phpmyadmin/phpmyadmin/commit/79548c0dcfc185f7c31a0c527d952a2b14266ddf

Retrieve parameters from $_POST in server_user_groups.php
https://github.com/phpmyadmin/phpmyadmin/commit/89db84213ba1b2b38387632c884c6fe64166f512

Retrieve parameters from $_POST in server_status_variables.php
https://github.com/phpmyadmin/phpmyadmin/commit/30543ad81f5151d592e39e3075dd32a7487d8d9e

Retrieve parameters from $_POST in db_search.php
https://github.com/phpmyadmin/phpmyadmin/commit/0be9a53fcfd4131c8737f717371570402b292361

Retrieve parameters from $_POST in tbl_indexes.php
https://github.com/phpmyadmin/phpmyadmin/commit/d01ece698a18624ede4bccffd81035da7c27b9a0

Retrieve parameters from $_POST in table relation
https://github.com/phpmyadmin/phpmyadmin/commit/d1d90b59b28ab8be332e442df55864cb858e40dd

Retrieve parameters from $_POST in server_status_monitor.php
https://github.com/phpmyadmin/phpmyadmin/commit/a98207c6de3bde433602273d1cccc7f2f99d7501

Retrieve parameters from $_POST in server replication
https://github.com/phpmyadmin/phpmyadmin/commit/eb13c69f0db2b1158d4b36deef7544fa1a932505

Retrieve parameters from $_POST in view_operations.php
https://github.com/phpmyadmin/phpmyadmin/commit/79fd80cef5da7f67eed01825b4d4b957d03acffd

Retrieve parameters from $_GET in url.php
https://github.com/phpmyadmin/phpmyadmin/commit/01e8064e3530a05d8d2975ad29fdd519a952e0ec

Retrieve parameters from $_POST in server binlog
https://github.com/phpmyadmin/phpmyadmin/commit/34972f0132c6e04fc324ad422f2fc609df7a22ec

Retrieve parameters from $_POST in table search
https://github.com/phpmyadmin/phpmyadmin/commit/6fd9bfb75b357e375c8992a8c9194411954a8427

Retrieve parameters from $_POST in partition definition
https://github.com/phpmyadmin/phpmyadmin/commit/c36592b4e8dfe6e5b2e7c9197c32abdf155df350

Retrieve parameters from $_POST in Table class
https://github.com/phpmyadmin/phpmyadmin/commit/d745d1ce019bf1aa60f19e8ac993389adb81e3a9

Retrieve parameters from $_POST in UserPassword class
https://github.com/phpmyadmin/phpmyadmin/commit/d98b40281b0e8781918240b201b35758b474e595

Retrieve parameters from $_POST in server variables
https://github.com/phpmyadmin/phpmyadmin/commit/e7f1e2697acace0d05356a943174cefeae1cf11e

CVE-2018-19969
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19969

CVE-2018-19969
https://nvd.nist.gov/vuln/detail/CVE-2018-19969

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: January 29, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.