One of the most popular and widely used MySQL database management systems, phpMyAdmin has got a new update released today. The updated version of the software, 4.8.4 patches many important vulnerabilities that could allow remote attackers to take control of the affected web servers.
phpMyAdmin is a free, open-source administration tool for managing MySQL databases using a simple graphical interface over the web-browser. Almost all web hosting service pre-installs phpMyAdmin with their control panels for easily managing the databases for websites, including WordPress, Joomla, and other content management platforms.
There are mainly three critical security vulnerabilities that affect phpMyAdmin versions before the release of 4.8.4. The details of the latest phpMyAdmin Vulnerabilities are
Local file inclusion (CVE-2018-19968) — phpMyAdmin versions from 4.0 up to 4.8.3 has a local file inclusion flaw that enables a remote attacker to read sensitive contents from local files on the server through its transformation feature. The attacker must be able to gain access to the phpMyAdmin Configuration Storage tables even though they can be created in any database which the attacker has access. He should also have valid credentials to log in to phpMyAdmin. This vulnerability does not allow an attacker to avoid logging into the system.
Cross-Site Request Forgery (CSRF)/XSRF (CVE-2018-19969) — phpMyAdmin versions from 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 includes a CSRF/XSRF flaw. This flaw if exploited would let the hackers to execute harmful SQL operations like renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes etc. by persuading the victim to open specially crafted links.
Cross-site scripting (XSS) (CVE-2018-19970) — This is a cross-site scripting vulnerability in its navigation tree, found in the versions from 4.0 up to 4.8.3 by which a hacker can insert a malicious code into the dashboard by using a specially-crafted database/table name.
The newly released version 4.8.4 addresses all the above-mentioned security vulnerabilities as well as separate patches for some of the previous versions.
All website managers, administrators and network hosting service providers are advised to install latest update or patches at the earliest.