phpMyAdmin 4.7.7 released to fix XSRF/CSRF vulnerability in phpMyAdmin

phpMyAdmin can manage a whole MySQL server (needs a super-user) as well as a single database. To accomplish the latter you’ll need a properly set up MySQL user who can read/write only the desired database. It’s up to you to look up the appropriate part in the MySQL manual.

Recently, a new version of phpMyAdmin has been released to fix CSRF vulnerability that affects phpMyAdmin versions 4.7.x (prior to 4.7.7). Ashutosh Barot security research found this vulnerability. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.

Poc

Severity

critical

Affected Versions

Versions 4.7.x (prior to 4.7.7)

Solution

Upgrade to phpMyAdmin 4.7.7 or newer or apply patch listed below.

The following commits have been made on the 4.7 branch to fix this issue:

• edd929216ade9f7c150a262ba3db44db0fed0e1b

The following commits have been made on the 4.8 branch to fix this issue:

• 72f109a99c82b14c07dcb19946ba9b76efc32a1b

Reference:phpmyadmin