Possible exploit in phpmyadmin links http://dev.mysql.com/

StackOverflow https://stackoverflow.com/questions/21096262

  •  27-09-2022
  •  | 
  •  

Pergunta

I noticed when I execute query in phpMyAdmin it shows it on the screen as link. When you click on that link it forward you to http://dev.mysql.com/ with the related query Isn't that an exploit?

So they can get your token by saving your:

$_SERVER['HTTP_REFERER']

I tried it with JS and I noticed it shows the last url

document.referrer 
"http://localhost/phpmyadmin/index.php?db=www_&table=meeting_planner&target=tbl_sql.php&token=a24a6bfb214586e23954....."
Foi útil?

Solução

Assuming the token is the one discussed here, then yes. It is a vulnerability (albeit a minor one).

It allows the anti-CSRF token to leak to a specific site (which has been selected by the authors of the software and is probably trustworthy).

You should be able to mitigate it by accessing PHPMyAdmin over HTTPS (which tends to block referer information when leaving for a different site).

CSRF defences work by having two copies of the token. One in a cookie (or session) and one in the form.

There is generally no need to defend against CSRF attacks for operations which only read data, and operations which write data should be POST forms, so the CSRF token should never appear in a URL.

phpMyAdmin is a bit of an odd duck in that a read operation can very easily be used to trigger a DOS attack on the server (since you can send SQL queries). These requests should probably use CSRF tokens, but since adding them will make the link unbookmarkable / sharable, the post might as well use POST here anyway.

Outras dicas

Quentin's explanation was pretty good; I have nothing to add to that -- but this was fixed back in February with phpMyAdmin 4.2 (I just forgot to post this here until now).

Licenciado em: CC-BY-SA com atribuição
Não afiliado a StackOverflow
scroll top