Debian Security Advisory
DLA-406-1 phpmyadmin -- LTS security update
- Date Reported:
- 30 Jan 2016
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-2039, CVE-2016-2041.
- More information:
Several flaws were discovered in the CSRF authentication code of phpMyAdmin.
The XSRF/CSRF token is generated with a weak algorithm using functions that do not return cryptographically secure values.
The comparison of the XSRF/CSRF token parameter with the value saved in the session is vulnerable to timing attacks. Moreover, the comparison could be bypassed if the XSRF/CSRF token matches a particular pattern.