CVE-2008-1149

NameCVE-2008-1149
DescriptionphpMyAdmin before 2.11.5 accesses $_REQUEST to obtain some parameters instead of $_GET and $_POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross-Site Request Forgery (CSRF) attacks by using crafted cookies.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1557-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)stretch4:4.6.6-4+deb9u1fixed
stretch (security)4:4.6.6-4+deb9u2fixed
bullseye4:5.0.4+dfsg2-2fixed
bookworm, sid4:5.1.1+dfsg1-4fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsourcesarge(not affected)
phpmyadminsourceetch4:2.9.1.1-7DSA-1557-1
phpmyadminsource(unstable)4:2.11.5-1low

Notes

[etch] - phpmyadmin <no-dsa> (Minor issue)
[sarge] - phpmyadmin <not-affected> (Vulnerable code not present)
https://www.phpmyadmin.net/security/PMASA-2008-1/
https://github.com/phpmyadmin/phpmyadmin/commit/c57b39bed91f06d574a95d8a5a091e5e59492d69
SQL injection if you can set local cookies, which means
you must be able to create pages in the same cookie domain, which seems
rare and unwise. low priority.

Search for package or bug name: Reporting problems