Miggo Logo
Miggo Vulnerability Database
CVE-2019-12616

CVE-2019-12616: phpMyAdmin CSRF Vulnerability

6.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-12616
GHSA ID
GHSA-mfr9-pcm3-6mwc
EPSS Score
0.97579%
CWE
CWE-352
Published
5/24/2022
Updated
8/1/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer< 4.9.04.9.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability stemmed from handling authentication parameters via $_REQUEST instead of $_POST. The commit 015c404 shows critical changes replacing $_REQUEST with $_POST for 'pma_username' and 'pma_password' parameters. This indicates the original code lacked proper CSRF protection by allowing GET-based authentication requests, which could be triggered via malicious image tags or forged URLs. The AuthenticationCookie::readCredentials method was directly responsible for this insecure parameter handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in p*pMy**min ***or* *.*.*. * vuln*r**ility w*s *oun* t**t *llows *n *tt**k*r to tri***r * *SR* *tt**k ***inst * p*pMy**min us*r. T** *tt**k*r **n tri*k t** us*r, *or inst*n** t*rou** * *rok*n `<im*>` t** pointin* *t t** vi*ti

Reasoning

T** k*y vuln*r**ility st*mm** *rom **n*lin* *ut**nti**tion p*r*m*t*rs vi* $_R*QU*ST inst*** o* $_POST. T** *ommit ******* s*ows *riti**l ***n**s r*pl**in* $_R*QU*ST wit* $_POST *or 'pm*_us*rn*m*' *n* 'pm*_p*sswor*' p*r*m*t*rs. T*is in*i**t*s t** ori*