CVE-2014-4987

Vulnerability

In phpMyAdmin versions 4.1.x prior to 4.1.14.2 and 4.2.x prior to 4.2.6, the file server_user_groups.php lacks proper authorization checks. When the configuration storage (e.g., the phpMyAdmin control user and related tables) is set up for the user groups feature, a remote authenticated user who is not a MySQL superuser can issue a viewUsers request to that script and retrieve the full list of MySQL user accounts. This code path is reachable only if the user is already logged into phpMyAdmin and the configuration storage is enabled [2].

Exploitation

The attacker must have valid credentials to log in to phpMyAdmin and the configuration storage must be configured for user groups. The attacker can then send a crafted viewUsers request to server_user_groups.php. No special network position beyond standard HTTP access is required, and no user interaction is needed beyond the initial login. The phpMyAdmin advisory notes that normal CSRF token protection prevents non-logged-in users from exploiting this issue [2].

Impact

A successful attack allows an unprivileged authenticated user to bypass intended access restrictions and read the MySQL user list. This information disclosure may reveal user account names that could be targeted in further attacks. According to the vendor, the severity of this vulnerability is considered non-critical [2].

Mitigation

The vulnerability is fixed in phpMyAdmin versions 4.1.14.2 and 4.2.6 and later [2]. Patches are available via commits 395265e9937beb21134626c01a21f44b28e712e5 for the 4.2 branch and 45550b8cff06ad128129020762f9b53d125a6934 for the 4.1 branch [2]. Gentoo Linux has also provided updated packages [3]. Users unable to upgrade should ensure that the configuration storage for user groups is not enabled, though this is a partial workaround. There is no known complete workaround other than applying the patch [2][3].