Bringing MySQL to the web

PMASA-2006-5

Announcement-ID: PMASA-2006-5

Date: 2006-10-01

Summary

XSRF (Cross Site Request Forgery) vulnerabilities

Description

We received a security advisory from Stefan Esser (sesser@hardened-php.net) and we wish to thank him for his work. It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link.

Severity

We consider these vulnerabilities to be serious.

Affected Versions

At least versions since 2.8.2.x.

Solution

Upgrade to phpMyAdmin 2.9.0.1 or newer.

References

Assigned CVE ids: CVE-2006-5116

CWE ids: CWE-661 CWE-352

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.