Debian Security Advisory

DLA-406-1 phpmyadmin -- LTS security update

Date Reported:
30 Jan 2016
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-2039, CVE-2016-2041.
More information:

Several flaws were discovered in the CSRF authentication code of phpMyAdmin.

  • CVE-2016-2039

    The XSRF/CSRF token is generated with a weak algorithm using functions that do not return cryptographically secure values.

  • CVE-2016-2041

    The comparison of the XSRF/CSRF token parameter with the value saved in the session is vulnerable to timing attacks. Moreover, the comparison could be bypassed if the XSRF/CSRF token matches a particular pattern.