CVE-2016-2039

NameCVE-2016-2039
Descriptionlibraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-406-1, DLA-481-1, DSA-3627-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)bullseye4:5.0.4+dfsg2-2+deb11u1fixed
bookworm4:5.2.1+dfsg-1fixed
trixie4:5.2.1+dfsg-2fixed
sid4:5.2.1+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsourcesqueeze4:3.3.7-11DLA-406-1
phpmyadminsourcewheezy4:3.4.11.1-2+deb7u3DLA-481-1
phpmyadminsourcejessie4:4.2.12-2+deb8u2DSA-3627-1
phpmyadminsource(unstable)4:4.5.4-1

Notes

squeeze patch was actually incorrect and probably not functional: libraries/phpseclib/Crypt/Random.php needs some engine (e.g. AES) to work
https://www.phpmyadmin.net/security/PMASA-2016-2/
https://github.com/phpmyadmin/phpmyadmin/commit/6fe54dfa000dd6f43f237e859781fad7111ac1bd is not sufficient: one needs 29b297f to import more bits from phpseclib or simply import all of phpseclib.
such a fix needs to avoid introducing a new vulnerability as well, upstream introduced CVE-2016-2042 as part of this
Search for package or bug name: Reporting problems