A serious vulnerability on phpMyAdmin allows an attacker to destroy the database
A serious security vulnerability on phpMyAdmin - one of the most popular MySQL database management software will harm the database (database - DB) when the administrator is tricked into clicking on the link.
Discovered by security researcher Ashutosh Barot, this vulnerability called CSRF (Cross-site Request Forgery) exploits attack techniques using user authentication. The phpMyAdmin 4.7.x versions (before 4.7.7) are affected.
CSRF, also known as XSRF, is a technique where an attacker makes a user trick and perform unwanted actions, 'by tricking the user into clicking a malicious URL, which will harm the DB like deleting. record and delete data in the table . '
phpMyAdmin is an open source MySQL and MariaDB administration tool, used by many people to administer website databases created with WordPress, Joomla and many other CMS tools.
Many host providers also use phpMyAdmin to make it easier for customers to manage the database.
After detecting the vulnerability, Barot posted a video describing how the attacker caused the admin to delete (DROP command) the entire table without even knowing when the trick was clicked on the link.
'One feature of phpMyAdmin is to use GET requests, then POST to perform tasks like DROP TABLE table_name. GET is protected from CSRF attacks, but in this case, POST is used and sent via the URL (probably to bookmark) ', Barot explained.
However, this attack is not easy. To prepare the URL for CSRF attack, the attacker must know the name of the database and the table that he wants to delete.
'If the user executes a query on the DB by clicking on the DROP, insert button . then the URL will contain the DB name and table. This vulnerability will reveal sensitive information because URLs are stored in many places such as browser history, SIEM history, Firewall, ISP . ', Barot explained.
Barot reported this vulnerability to phpAdmin and version 4.7.7 was later patched.
See more:
- Here's how I hack 40 websites in 7 minutes
- DROP TABLE or DELETE TABLE statements in SQL
- Free Microsoft Labs repositories include: Windows Server, SQL Server and many other services
You should read it
- How to create a database in MySQL
- How to easily manage databases with phpMyAdmin
- Use the ALTER DATABASE command to migrate DATABASE in SQL Server
- Instructions for installing MySQL on Windows and remote access
- Working with Rockmongo
- Instructions on how to connect to MySQL Database in Eclipse
- Test about database security P8
- How to Check Database Size in MySQL
- Database monitoring in MS SQL Server
- How to Create a Secure Session Management System in PHP and MySQL
- Overview of the Access 2010 tutorial series
- SQL Server setup is always available
Maybe you are interested
Should I buy a tablet with 4G LTE/5G connectivity or just WiFi?
How to adjust line spacing in Word tables very easily
10 Useful Table Formatting Tips in Microsoft Word
What's notable about Free Fire OB34 Summon?
How to update Windows offline using Portable Update
Quickly fix Unmountable Boot Volume error on Windows 10/11