phpMyAdmin Bringing MySQL to the web

PMASA-2011-5

Announcement-ID: PMASA-2011-5

Date: 2011-07-02

Updated: 2011-07-03

Summary

Possible session manipulation in Swekey authentication.

Description

It was possible to manipulate the PHP session superglobal using some of the Swekey authentication code. This could open a path for other attacks.

Severity

We consider this vulnerability to be critical.

Affected Versions

The 3.4.3 and earlier versions are affected.

Unaffected Versions

Branch 2.11.x is not affected by this.

Solution

Upgrade to phpMyAdmin 3.3.10.2 or 3.4.3.1 or apply the related patch listed below.

References

This issue was found by Frans Pehrson from Xxor AB. His advisory.

Assigned CVE ids: CVE-2011-2505

CWE ids: CWE-473 CWE-661

Patches

The following commits have been made to fix this issue:

• 7ebd958b2bf59f96fecd5b3322bdbd0b244a7967

The following commits have been made on the 3.3 branch to fix this issue:

• 6e6e129f26295c83d67b74e202628a4b8bc49e54

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.