Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-406-1 phpmyadmin

Debian Security Advisory

DLA-406-1 phpmyadmin -- LTS security update

Date Reported:

30 Jan 2016

Affected Packages:

phpmyadmin

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-2039, CVE-2016-2041.

More information:

Several flaws were discovered in the CSRF authentication code of phpMyAdmin.

• CVE-2016-2039

  The XSRF/CSRF token is generated with a weak algorithm using functions that do not return cryptographically secure values.

• CVE-2016-2041

  The comparison of the XSRF/CSRF token parameter with the value saved in the session is vulnerable to timing attacks. Moreover, the comparison could be bypassed if the XSRF/CSRF token matches a particular pattern.