phpMyAdmin 4.7.7 released to fix XSRF/CSRF vulnerability in phpMyAdmin
phpMyAdmin can manage a whole MySQL server (needs a super-user) as well as a single database. To accomplish the latter you’ll need a properly set up MySQL user who can read/write only the desired database. It’s up to you to look up the appropriate part in the MySQL manual.
Recently, a new version of phpMyAdmin has been released to fix CSRF vulnerability that affects phpMyAdmin versions 4.7.x (prior to 4.7.7). Ashutosh Barot security research found this vulnerability. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.
Poc
Severity
critical
Affected Versions
Versions 4.7.x (prior to 4.7.7)
Solution
Upgrade to phpMyAdmin 4.7.7 or newer or apply patch listed below.
The following commits have been made on the 4.7 branch to fix this issue:
The following commits have been made on the 4.8 branch to fix this issue:
Reference:phpmyadmin
