[VIM] Concerning CSRF in phpMyAdmin (CVE-2006-5116)

Heinbockel, Bill heinbockel at mitre.org
Tue Oct 3 12:53:42 EDT 2006

>-----Original Message-----
>From: Stefan Esser [sesser (at) hardened-php (dot) net]
>Sent: Dienstag, 3. Oktober 2006 12:36
>To: Heinbockel, Bill
>Subject: Re: Question regarding the CSRF in phpMyAdmin
>> Regarding the advisory:
>> Advisory 07/2006: phpMyAdmin Multiple CSRF Vulnerabilities
>> Is this the same issue mentioned by the phpMyAdmin changelog
>> for 2.9.1-rc1, which mentions "2006-09-27 ... 
>> /session.inc.php, /url_generating.lib.php: security fixes 
>> will come later), thanks to Sebastian Mendel and Stefan Esser."
>It is the same issue? Yes and no... The fixes in 2.9.1-rc1 were not
>fixing all issues I reported (correctly). It is still 
>vulnerable to some
>of the attacks I found. After they released rc1 they decided 
>to not call
>the next release 2.9.1 but to call it I guess this is the
>reason for the confusion.
>However 2.9.1-rc1 is STILL vulnerable to some of the issues reported
>my advisory.

The phpMyAdmin changelog issue was assigned CVE-2006-5116. Another CVE
be published for the issues not addressed in the 2.9.1-rc1 release.


Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.1-rc1
have unspecified impact and attack vectors, related to 
(1) libraries/common.lib.php, (2) session.inc.php, and 
(3) url_generating.lib.php.

Ref: BID:20253
Ref: SECUNIA:22126

William Heinbockel
Infosec Engineer
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel at mitre.org

More information about the VIM mailing list