CSRF token not stripped from the URL

PMASA-2016-71

Announcement-ID: PMASA-2016-71

Date: 2016-11-25

Updated: 2016-12-06

Summary

CSRF token not stripped from the URL

Description

When the arg_separator is different from its default value of &, the token was not properly stripped from the return URL of the preference import action.

Severity

We have not yet determined a severity for this issue.

Affected Versions

All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.

Solution

Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below.

References

Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.

Assigned CVE ids: CVE-2016-9866

CWE ids: CWE-661

Patches

The following commits have been made on the 4.0 branch to fix this issue:

• 773f126

The following commits have been made on the 4.4 branch to fix this issue:

• e3f2c74

The following commits have been made on the 4.6 branch to fix this issue:

• f87358d

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.