The PhpMyAdmin, which is one of the most popular and widely used MYSQL DBMS released an very important updated version 4.8.4 of its software to patch several critical vulnerabilities that could be allow attackers to take control of the affected web servers.
The phpMyAdmin project operators had already given notice of updates to their users through a post on their blog, with the intention that website managers, network hosting service providers and other users prepare the best possible way to install critical updates.
“We have resorted to the techniques used by developers of other projects, such as Mediawiki and similar ones, anticipating the release of security patches, allowing phpMyAdmin users to prepare their systems for updating”, mentions Isaac Bennetch, specialist in cybersecurity and digital forensics of phpMyAdmin.
The phpMyAdmin software is a free and open source management tool to operate MySQL databases using a very simple graphical interface through the web browser
According to experts in cybersecurity, almost any web hosting service has the pre-determined installation of phpMyAdmin in its control panels to help website admins to manage in the easiest possible way their databases for websites such as WordPress, Joomla and other content management systems.
In addition to the correction of several bugs, phpMyAdmin developers commented that the update will focus primarily on three critical security flaws present in the software versions prior to 4.8.4:
- Local file inclusion (CVE-2018-19968)
Local file inclusion vulnerability is present in phpMyAdmin versions between 4.0 and 4.8.3. This flaw could allow a remote attacker to access sensitive content in the server’s local files through its transform function.
- Cross-Site Request Forgery (CSRF)/XSRF (CVE-2018-19969)
phpMyAdmin versions from 4.7.0 to 4.7.6 and 4.8.0 to 4.8.3 include a cross site requests spoofing flaw that, if exploited, would allow a hacker to perform malicious SQL operations. These harmful activities include changes in database names, creating new tables of content, or deleting admin profiles.
- XSS Vulnerability (CVE-2018-19970)
The software also presents XSS vulnerability in its navigation tree that affects the versions between 4.0 and 4.8.3, so a hacker could inject malicious code into the affected system with specially designed packages.
According to the developers of phpMyAdmin, the 4.8.4 software version will address the three critical vulnerabilities found in previous versions. In addition, the software managers will later launch some additional update patches.
Finally, phpMyAdmin managers strongly recommend cybersecurity and hosting providers install the update patches as soon as they are available.