phpMyAdmin cross-site request forgery (CSRF) vulnerability found by an Indian security researcher Ashutosh Barot caused a lot of noise. It’s evident that many website owners began a heated debate on this issue since phpMyAdmin is one of the most popular tools for managing MySQL databases. I find this discussion somewhat surprising because most speakers do not realize what kind of conditions needed to make it possible to exploit this vulnerability. My modest opinion is that this security issue is more dangerous theoretically than in practice. Let’s see why I think so.
phpMyAdmin CSRF vulnerability exploitation mechanism
Attacks on CSRF vulnerabilities are quite primitive. An attacker prepares specially crafted link with some parameters or commands. This link will make some unattended actions if clicked by the administrator or any logged user with sufficient rights of the targeted system. Ashutosh Barot published a short Youtube video which shows how he managed to drop one table from the database with a single click on the link. An attack is possible due to the unprotected GET request operation.
At first glance, things look very simple, but after deepening, we can see a lot of nuances that can prevent this vulnerability from being exploited. First of all, let’s find out what conditions needed for this kind of attack:
- phpMyAdmin user must be logged in while clicking the crafted link provided by the attacker.
- An attacker must know the full address of the phpMyAdmin to be able to craft a link necessary to the attack.
- An attacker must know the name of database table to be able to craft a link necessary to the attack.
- Finally, he must ensure that the phpMyAdmin user clicks on the crafted link and executes attack mechanism.
To reach these conditions as an attacker, you must be a fortunate guy. It’s like an alignment of several planets in our solar system, a common phenomenon, but you might have to wait several hundred years for it. Thus, this attack is more based on randomness than a guaranteed method less dependent on circumstances beyond the control of the attacker.
Other possible attack vectors
Let’s say an attacker knows phpMyAdmin URL, he even knows the name of database and name of the particular table that he’s going to delete, but the user is not logged in. In this case, a combination of social engineering and clickjacking attacks can be used to perform two actions. The first step to log in the user to the phpMyAdmin and second to make an attack with the crafted link. Such an attack vector is more likely, but still more theoretical than practical.