FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

phpmyadmin -- Unsafe comparison of XSRF/CSRF token

Affected packages
4.5.0 <= phpmyadmin < 4.5.4

Details

VuXML ID 71b24d99-c60b-11e5-bf36-6805ca0b3d42
Discovery 2016-01-28
Entry 2016-01-28

The phpMyAdmin development team reports:

The comparison of the XSRF/CSRF token parameter with the value saved in the session is vulnerable to timing attacks. Moreover, the comparison could be bypassed if the XSRF/CSRF token matches a particular pattern.

We consider this vulnerability to be serious.

References

CVE Name CVE-2016-2041
URL https://www.phpmyadmin.net/security/PMASA-2016-5/