A researcher has just published a zero-day security bug in one of the web’s most popular database administration software packages.

The bug makes it possible for an attacker to delete a server by hijacking a user’s account in phpMyAdmin, a 21-year-old open-source tool used to manage MySQL and MariaDB databases.

The flaw is a classic cross-site request forgery (CSRF). It’s a long-used attack in which an attacker can force a logged-in user’s browser to perform malicious actions such as changing their account details. A browser request includes any details associated with the site, such as the user’s session cookie, making it difficult to distinguish between the real request and a forged one.

The bug report on the Full Disclosure mailing says that an attack would have to target phpMyAdmin’s setup page. The CVE listing for the bug gives it a medium severity rating.

According to the Full Disclosure listing, an attacker can create a fake hyperlink containing the malicious request. It mentions that the CSRF attack is possible because of an incorrectly used HTTP method.

The researcher who discovered it, Manuel Garcia, explained to us:

The post/get requests are not validated. To avoid the CSRF attacks you need to implement a token.