1529160 – phpMyAdmin: XSRF/CSRF vulnerability fixed in version 4.7.7

Bug 1529160 - phpMyAdmin: XSRF/CSRF vulnerability fixed in version 4.7.7

Summary: phpMyAdmin: XSRF/CSRF vulnerability fixed in version 4.7.7

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1529161 1529162 1529163
Blocks:
TreeView+	depends on / blocked

Reported:	2017-12-26 19:39 UTC by Pedro Sampaio
Modified:	2020-05-20 21:16 UTC (History)
CC List:	7 users (show)
Fixed In Version:	phpMyAdmin 4.7.7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-20 21:16:57 UTC
Embargoed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2017-12-26 19:39:37 UTC

A CSRF vulneratibility was found in phpMyAdmin before 4.7.7. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.

Upstream patch:

https://github.com/phpmyadmin/phpmyadmin/commit/edd929216ade9f7c150a262ba3db44db0fed0e1b
https://github.com/phpmyadmin/phpmyadmin/commit/72f109a99c82b14c07dcb19946ba9b76efc32a1b

References:

https://www.phpmyadmin.net/security/PMASA-2017-9/

Comment 1 Pedro Sampaio 2017-12-26 19:40:15 UTC

Created phpMyAdmin tracking bugs for this issue:

Affects: epel-all [bug 1529162]
Affects: fedora-all [bug 1529161]
Affects: openshift-1 [bug 1529163]

Comment 2 Product Security DevOps Team 2020-05-20 21:16:57 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.