Bug 1529160

Summary:	phpMyAdmin: XSRF/CSRF vulnerability fixed in version 4.7.7
Product:	[Other] Security Response	Reporter:	Pedro Sampaio <psampaio>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED UPSTREAM	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	ccoleman, dedgar, dmcphers, fedora, imlinux+fedora, jgoulding, redhat-bugzilla
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	phpMyAdmin 4.7.7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2020-05-20 21:16:57 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1529161, 1529162, 1529163
Bug Blocks:

Description Pedro Sampaio 2017-12-26 19:39:37 UTC

A CSRF vulneratibility was found in phpMyAdmin before 4.7.7. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.

Upstream patch:

https://github.com/phpmyadmin/phpmyadmin/commit/edd929216ade9f7c150a262ba3db44db0fed0e1b
https://github.com/phpmyadmin/phpmyadmin/commit/72f109a99c82b14c07dcb19946ba9b76efc32a1b

References:

https://www.phpmyadmin.net/security/PMASA-2017-9/

Comment 1 Pedro Sampaio 2017-12-26 19:40:15 UTC

Created phpMyAdmin tracking bugs for this issue:

Affects: epel-all [bug 1529162]
Affects: fedora-all [bug 1529161]
Affects: openshift-1 [bug 1529163]

Comment 2 Product Security DevOps Team 2020-05-20 21:16:57 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.