Vulnerabilities

Critical SQL injection vulnerability affecting phpMyAdmin

Vulnerability testing specialists reported the finding of a security flaw in phpMyAdmin, one of the world’s most widely used MySQL database management applications, present in multiple versions of the tool (from 4.7.7 to 4.9.2).

According to the report, this is an executable
SQL injection vulnerability through the designer function using a username
specially created for exploiting the flaw.

The vulnerability, tracked as CVE-2019-18622,
has already been notified to the team behind phpMyAdmin, which received the
report and began working on possible solutions immediately.

Plesk servers are not affected in their default
settings. On the other hand, Plesk does not allow you to create database users
that use special characters for your username, which is a fundamental part of
this attack.

According to vulnerability testing specialists,
only DB Server Admin implementations allow the creation of database users
directly through MySQL, in addition, it is necessary to emphasize that SQL
injection is only possible in the database phpMyAdmin data.

In their report on the bug, the team behind
phpMyAdmin recognizes that the vulnerability is of high severity, so they
encourage potentially affected users to implement the necessary security
measures as soon as possible.

To prevent any exploit scenario, it is
recommended to upgrade to phpMyAdmin 4.9.2 or any later version; the patch for
previous versions is available at the following GitHub link.
In case of doubts or comments, it is recommended to contact the phpMyAdmin team
directly through its website. For users created through Plesk, no additional
security measures are required.

Multiple security issues have recently been
reported in this tool. A couple of months ago, vulnerability testing
specialists at the International Institute of Cyber Security (IICS) reported
the presence of an uncorrected zero-day vulnerability in phpMyAdmin; this Cross-Site
Request Forgery
(XSRF) vulnerability depended on tricking an
authenticated user into executing malicious actions on the target system.

Tracked as CVE-2019-12922, the flaw was
considered to be of medium severity, due to its limited scope, as the exploit
only allowed hackers to delete servers configured on the setup page of a
phpMyAdmin panel on the server of the victim.

To Top

Pin It on Pinterest

Share This