CVE-2016-2039

NameCVE-2016-2039
Descriptionlibraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-406-1, DLA-481-1, DSA-3627-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)wheezy4:3.4.11.1-2+deb7u2vulnerable
wheezy (security)4:3.4.11.1-2+deb7u8fixed
jessie (security), jessie4:4.2.12-2+deb8u2fixed
stretch4:4.6.6-4fixed
buster, sid4:4.6.6-5fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsource(unstable)4:4.5.4-1medium
phpmyadminsourcejessie4:4.2.12-2+deb8u2mediumDSA-3627-1
phpmyadminsourcesqueeze4:3.3.7-11mediumDLA-406-1
phpmyadminsourcewheezy4:3.4.11.1-2+deb7u3mediumDLA-481-1

Notes

squeeze patch was actually incorrect and probably not functional: libraries/phpseclib/Crypt/Random.php needs some engine (e.g. AES) to work
https://www.phpmyadmin.net/security/PMASA-2016-2/
https://github.com/phpmyadmin/phpmyadmin/commit/6fe54dfa000dd6f43f237e859781fad7111ac1bd is not sufficient: one needs 29b297f to import more bits from phpseclib or simply import all of phpseclib.
such a fix needs to avoid introducing a new vulnerability as well, upstream introduced CVE-2016-2042 as part of this

Search for package or bug name: Reporting problems