VIR Vulnerability Intelligence Relay

CVE-2019-12922

unknown
Published 2022-05-24 · Modified 2024-04-24
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVSS v4 NEW
not yet in upstream
VIR risk
1.0

Description

A CSRF issue in phpMyAdmin 4.9.0.1 allows deletion of any server in the Setup page.

Predictions

Exploit likelihood
30%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-47385 webapps php text · 2 KB
Manuel García Cárdenas · 2019-09-13

phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery

text exploit Source: Exploit-DB 
=============================================
MGC ALERT 2019-003
- Original release date: June 13, 2019
- Last revised:  September 13, 2019
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,3/10 (CVSS Base Score)
- CVE-ID: CVE-2019-12922
=============================================

I. VULNERABILITY
-------------------------
phpMyAdmin 4.9.0.1 - Cross-Site Request Forgery

II. BACKGROUND
-------------------------
phpMyAdmin is a free software tool written in PHP, intended to handle the
administration of MySQL over the Web. phpMyAdmin supports a wide range of
operations on MySQL and MariaDB.

III. DESCRIPTION
-------------------------
Has been detected a Cross-Site Request Forgery in phpMyAdmin, that allows
an attacker to trigger a CSRF attack against a phpMyAdmin user deleting any
server in the Setup page.

IV. PROOF OF CONCEPT
-------------------------
Exploit CSRF - Deleting main server

<p>Deleting Server 1</p>
<img src="
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1"
style="display:none;" />

V. BUSINESS IMPACT
-------------------------
The attacker can easily create a fake hyperlink containing the request that
wants to execute on behalf the user,in this way making possible a CSRF
attack due to the wrong use of HTTP method.

VI. SYSTEMS AFFECTED
-------------------------
phpMyAdmin <= 4.9.0.1

VII. SOLUTION
-------------------------
Implement in each call the validation of the token variable, as already
done in other phpMyAdmin requests.

VIII. REFERENCES
-------------------------
https://www.phpmyadmin.net/

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Manuel Garcia Cardenas (advidsec (at) gmail (dot) com).

X. REVISION HISTORY
-------------------------
June 13, 2019 1: Initial release
September 13, 2019 2: Last revision

XI. DISCLOSURE TIMELINE
-------------------------
June 13, 2019 1: Vulnerability acquired by Manuel Garcia Cardenas
June 13, 2019 2: Send to vendor
July 16, 2019 3: New request to vendor without fix date
September 13, 2019 4: Sent to lists

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.

XIII. ABOUT
-------------------------
Manuel Garcia Cardenas
Pentester

OS impact
debian Debian Fixed 4 releases
VersionStatusFixed in
trixie Fixed 4:4.9.1+dfsg1-2
sid Fixed 4:4.9.1+dfsg1-2
bullseye Fixed 4:4.9.1+dfsg1-2
bookworm Fixed 4:4.9.1+dfsg1-2

Package impact
EcosystemPackageVulnerableFixed
php Packagistphpmyadmin/phpmyadmin<4.9.14.9.1

References

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.