phpMyAdmin Page Found

CVE: 2019-12922
CWE: 352

What is the attack?
Sometimes, a phpMyAdmin page is available to any user on the internet. This may lead to various attacks listed below:

  1. CSRF attack against a phpMyAdmin user:
    Attacker can initiate a CSRF attack against a phpMyAdmin user using the 'auth_type' cookie and can potentially deliver a payload to modify or delete phpMyAdmin database. This can be done using a broken < img > tag pointing to the victim's phpMyAdmin database.
  1. XSS attacks:
    The phpMyAdmin page is vulnerable to XSS attacks on 'navigation trees' or 'db_central_columpns.php' where the attacker can use crafted files to manipulate the victim to load files into a different location using the 'import' feature. Also, the attacker can insert payloads into the database which can cause deletion or modification of data.
  2. SQL Injection attack:
    Attacker can inject SQL queries in the 'tracking functionality' allowing the attacker to gain read and write access to configuration storage database, sometimes also giving the privilege to access some tables of MySQL database.
  3. DoS (Denial of Service) Attacks:
    By initiating a very large request to the 'table partitioning function', an attacker can launch a DoS attack on the system. DoS attack can also be initiated by sending a large number of requests to access the 'value' parameter of a 'saved searches' feature. By attempting brute-force attacks on the username and password fields to gain access to the admin privileges, the attacker can sometimes cause an unintended DoS attack.

Impact of the attack:
If any of the above attacks take place, attacker will be able to-

  1. Steal data
  2. Delete or manipulate data
  3. Gain unauthorized access to certain tables of the database
  4. Create or store malicious files in the database
  5. Make changes to configuration settings of the database
  6. Crash the website or impact user experience through DoS attacks

How to prevent this attack?
We can prevent this attack as given below:

  1. White-listing the users who should have external access to the phpMyAdmin page.
  2. Change the default login URL to ensure only trusted users can access it.
  3. Using the latest / updated versions of phpMyAdmin.
  4. Using Strong passwords to prevent successful brute-force attacks.
  5. Disable root login to phpMyAdmin
  6. Enable HTTPS on phpMyAdmin page so that the username and password are not transmitted in plain text.