GanofinsH1:1113212QIWI: gifts.flocktory.com/phpmyadmin is vulnerable csrf
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.959 High
EPSS
Percentile
99.2%
Summary:
Hello Team,
I found that the PHPMyAdmin login panel is publicly accessible on https://gifts.flocktory.com and it is using the 4.6.6 version of PHPMyAdmin, which is vulnerable to several CVEs
https://www.cvedetails.com/vulnerability-list/vendor_id-784/product_id-1341/version_id-251928/Phpmyadmin-Phpmyadmin-4.6.6.html
https://www.cybersecurity-help.cz/vdb/phpmyadmin/phpmyadmin/4.6.6/
{F1212091}
Out of which 2 of them are CSRF vulnerability in it.
Description:
CVE-2019-12616:
Details:
The vulnerability exists due to insufficient validation of the HTTP request origin in “tbl_sql.php” script. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as execute arbitrary INSERT or DELETE statements.
Steps to reproduce/POC:
https://gifts.flocktory.com/tbl_sql.php?sql_query=INSERT+INTO+`pma__bookmark`+(`id`%2C+`dbase`%2C+`user`%2C+`label`%2C+`query`)+VALUES+(DAYOFWEEK('')%2C+''%2C+''%2C+''%2C+'')&show_query=1&db=phpmyadmin&table=pma__bookmark
An attacker can create a CSRF HTML page using the above URL, and when the victim visits any such page. Then an insert query will be fired created by the attacker
Impact:
An attacker can perform arbitrary actions on behalf of the victim, such as execute arbitrary INSERT or DELETE statements.
References:
https://www.cybersecurity-help.cz/vdb/SB2019060501
https://nvd.nist.gov/vuln/detail/CVE-2019-12616
CVE-2019-12922:
Details:
The vulnerability exists due to insufficient validation of the HTTP request origin. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website, such as delete an arbitrary server on the Setup page.
Steps to reproduce/POC:
<p>Deleting Server 1</p>
<img src="https://gifts.flocktory.com/phpmyadmin/setup/index.php?page=servers&mode=remove&id=1" />
An attacker can create a CSRF HTML page using the above HTML code, and when the victim visits any such page. Then an server will be deleted with id=1
Impact:
An attacker can perform arbitrary actions on behalf of the victim, such as delete an arbitrary server on the Setup page.
References:
https://www.exploit-db.com/exploits/47385
https://nvd.nist.gov/vuln/detail/CVE-2019-12922
Thanks and regards,
@ganofins
Impact
An attacker can perform arbitrary actions on behalf of the victim, such as execute arbitrary INSERT or DELETE statements, delete an arbitrary server on the Setup page.
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
0.959 High
EPSS
Percentile
99.2%