Tag Archives: CVE-2017-1000499

CVE-2017-1000499 CSRF vulnerability in phpMyAdmin

A critical security vulnerability CVE-2017-1000499 has been identified in phpMyAdmin which could allow remote attackers to perform dangerous database operations just by deceiving administrators into clicking a link.

Technical Overview

The vulnerability is a cross-site request forgery (CSRF) attack. A cross-site request forgery or CSRF attack occurs when an attacker deceives a user to click on a crafted URL and gets access to perform database operations.

How it Works

  1. A database admin is logged into phpMyAdmin
  2. An attacker tricks the admin into clicking a CSRF URL in the same browser
  3. Now the attack URL will make an HTTP request in the web-browser to phpMyAdmin
  4. This can result in the disclosure of sensitive information or could allow the remote attacker to perform dangerous database operations
  5. The user, unfamiliar of the situation becomes a victim.

How can I protect phpMyAdmin?

It is highly recommended that users update their installations as soon as possible to Versions:4.7.7 or downgrade to <4.7.0 

More Info

Affected Versions

Versions 4.7.x (prior to 4.7.7) are affected

Unaffected Versions

Versions older than 4.7.0 are not affected

Fixed Versions

4.7.7 and <4.70

Reference Links

https://www.phpmyadmin.net/security/PMASA-2017-9/

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000499