2

I saw that there was a security exploit for phpMyAdmin using cross-site request forgery (CSRF). I always thought that the ?token= parameter in all phpMyAdmin URLs prevented against this, but then I read this:

To prepare a CSRF attack URL, the attacker should be aware of the name of targeted database and table.

That implies that the attacker doesn't need to know the token. I tested this by copying the link for the table drop button for a test DB in my phpMyAdmin, removing the ?token= parameter. To my surprise it did drop the table.

Is this token parameter intended to prevent CSRF? If not, which purpose does it serve?

Anders
  • 64,406
  • 24
  • 178
  • 215
Goose
  • 1,394
  • 1
  • 11
  • 17

1 Answers1

4

The token URL param is indeed a anti CSRF token. This is from the commit message fixing the vulnerability:

Bring back token validation to GET requests

This is necessary to avoid CSRF on SQL queries. This is really more a short term fix, proper fix (to be implemented in master) is to avoid accepting SQL queries from GET requests.

From this, we can gather that the vulnerability was the result of two mistakes in combination:

  1. Accepting SQL queries - a state changing operation - from GET requests. This is deviating from the philosophy behind the HTTP verbs and in general a bad idea.
  2. Not checking the CSRF token for GET requests.

It looks like phpMyAdmin originally didn't differentiate between GET and POST that well. E.g. the token is in a URL param, not a hidden form field, and the code uses $_REQUEST to check for it.

Then someone tried to fix it, disabling state changing GET requests as well as the token check for GET requests since it was no longer needed. Unfortunately, they failed at the first but not the second, and hence the vulnerability was born.

Anders
  • 64,406
  • 24
  • 178
  • 215