CVE-2013-5029

Vulnerability

The clickjacking protection mechanisms in phpMyAdmin 3.5.x and 4.0.x prior to 4.0.5 are insufficient and can be bypassed. The protection includes X-Frame-Options: DENY headers, JavaScript frame-busting via cross_framing_protection.js, and a CSS display: none rule on the ` element. However, these measures either rely on modern browser support or can be circumvented through specific vectors related to Header.class.php. The configuration option $cfg['AllowThirdPartyFraming'] (default false`) was introduced to control framing, but the bypass exists regardless of this setting in affected versions. [1][3]

Exploitation

An attacker can craft a malicious web page that frames a phpMyAdmin instance while the victim is authenticated. The attacker must trick the victim into visiting the malicious page (e.g., via phishing or a compromised site). The exact bypass vectors are not publicly detailed but involve defeating the frame-busting JavaScript or the X-Frame-Options header in older browsers. [3]

Impact

Successful exploitation enables clickjacking attacks, where the attacker overlays invisible elements on top of the framed phpMyAdmin interface. This can trick the victim into performing unintended actions, such as executing SQL queries, modifying database objects, or changing configuration settings, potentially leading to full compromise of the database management interface and the underlying data. [3]

Mitigation

Upgrade to phpMyAdmin 4.0.5 or later. For the 3.5.x branch, no official fix is available because the proposed solution requires JavaScript, which the 3.5.x family avoids. Patches are provided in commits [1], [2], and [4]; these introduce the AllowThirdPartyFraming option (default false) and improve the frame-busting logic. Users unable to upgrade should consider restricting access to phpMyAdmin or using browser-level clickjacking protections. [3]