Possible session manipulation in Swekey authentication.

2011-07-02T00:00:00
ID PHPMYADMIN:PMASA-2011-5
Type phpmyadmin
Reporter phpMyAdmin
Modified 2011-07-03T00:00:00

Description

PMASA-2011-5

Announcement-ID: PMASA-2011-5

Date: 2011-07-02

Updated: 2011-07-03

Summary

Possible session manipulation in Swekey authentication.

Description

It was possible to manipulate the PHP session superglobal using some of the Swekey authentication code. This could open a path for other attacks.

Severity

We consider this vulnerability to be critical.

Affected Versions

The 3.4.3 and earlier versions are affected.

Unaffected Versions

Branch 2.11.x is not affected by this.

Solution

Upgrade to phpMyAdmin 3.3.10.2 or 3.4.3.1 or apply the related patch listed below.

References

This issue was found by Frans Pehrson from Xxor AB. His advisory.

Assigned CVE ids: CVE-2011-2505

CWE ids: CWE-473 CWE-661

Patches

The following commits have been made to fix this issue:

The following commits have been made on the 3.3 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.