SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   phpMyAdmin Vendors:   phpMyAdmin Development Team
phpMyAdmin Cross-Site Request Forgery Flaw Lets Remote Users Modify the Generated Configuration File
SecurityTracker Alert ID:  1032404
SecurityTracker URL:  http://securitytracker.com/id/1032404
CVE Reference:   CVE-2015-3902   (Links to External Site)
Date:  May 26 2015
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0 to prior to 4.0.10.10, 4.2.13.3, 4.3.13.1, 4.4.6.1
Description:   A vulnerability was reported in phpMyAdmin. A remote user can conduct cross-site request forgery attacks.

A remote user can create a specially crafted URL that, when loaded by the target user, will modify the configuration file being generated via phpMyAdmin setup. The active configuration file is not affected.

Inti De Ceukelaire (ceukelai.re) reported this vulnerability.

Impact:   A remote user can modify the configuration file being generation by setup.
Solution:   The vendor has issued a fix (4.0.10.10, 4.2.13.3, 4.3.13.1, 4.4.6.1).

The vendor's advisory is available at:

http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php

Vendor URL:  www.phpmyadmin.net/home_page/security/PMASA-2015-2.php (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC