CSRF Vulnerability in phpMyAdmin 4.7.x Lets Attackers Delete Records through malicious URLs

A Cross-Site Request Forgery (CSRF) vulnerability has been found in the phpMyAdmin version 4.7.x (before version 4.7.7) through which malicious attackers are able to perform fundamental database operations by tricking users into clicking on maliciously crafted URLs. This vulnerability has been combined under the CVE identification label CVE-2017-1000499 which was assigned to previous CSRF vulnerabilities in phpMyAdmin as well.

There are four latest additions under the CVE-2017-1000499 CSRF vulnerability umbrella. These four include a current user password modification vulnerability, an arbitrary file writing vulnerability, a data retrieval over the DNS communication chains vulnerability, and an empty all rows from all tables vulnerability. As phpMyAdmin deals with the administration side of MySQL, these four vulnerabilities put the entire database at high risk, allowing a malicious user to change passwords, access data, delete data, and carry out other commands through code execution.

As MySQL is a rather common open source relational database management system, these vulnerabilities (along with the countless other CVE-2017-100049 CSRF vulnerabilities), compromise the experience of the software which has been well adopted by many enterprise particularly for its easy to use and effective interface.

CSRF attacks cause an unknowing user to carry out a command that a malicious attacker intends by clicking on it to allow it to proceed. Users are usually tricked to think that a particular application asking for permissions is locally stored in a secure place or that a file being downloaded is what it claims to b in the title. Maliciously crafted URLs of this kind cause users to carry out the attacker’s intended commands unknowingly compromising the system.

This vulnerability is known to the vendor and it is evident that it user cannot be prevented on the user’s own accord which is why it requires an update for the phpMyAdmin software to be released. This flaw exists in 4.7.x versions prior to 4.7.7 which means that those still using older versions should immediately upgrade to the latest version to mitigate this critical grade vulnerability.