A critical security vulnerability CVE-2017-1000499 has been identified in phpMyAdmin which could allow remote attackers to perform dangerous database operations just by deceiving administrators into clicking a link.
The vulnerability is a cross-site request forgery (CSRF) attack. A cross-site request forgery or CSRF attack occurs when an attacker deceives a user to click on a crafted URL and gets access to perform database operations.
How it Works
- A database admin is logged into phpMyAdmin
- An attacker tricks the admin into clicking a CSRF URL in the same browser
- Now the attack URL will make an HTTP request in the web-browser to phpMyAdmin
- This can result in the disclosure of sensitive information or could allow the remote attacker to perform dangerous database operations
- The user, unfamiliar of the situation becomes a victim.
How can I protect phpMyAdmin?
It is highly recommended that users update their installations as soon as possible to Versions:4.7.7 or downgrade to <4.7.0
Versions 4.7.x (prior to 4.7.7) are affected
Versions older than 4.7.0 are not affected
4.7.7 and <4.70