Name | CVE-2009-4605 |
Description | scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before 2.11.10 calls the unserialize function on the values of the (1) configuration and (2) v[0] parameters, which might allow remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. |
Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
References | DSA-2034-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
Source Package | Release | Version | Status |
---|
phpmyadmin (PTS) | bullseye | 4:5.0.4+dfsg2-2+deb11u1 | fixed |
| bookworm | 4:5.2.1+dfsg-1 | fixed |
| sid, trixie | 4:5.2.1+dfsg-3 | fixed |
The information below is based on the following data on fixed versions.
Notes
vulnerable code does not in the 3.x series (sid and squeeze checked)
http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin?view=rev&revision=13149
there is still at least one unserialize() call on _POST data