1532951 – (CVE-2017-1000499) CVE-2017-1000499 phpMyAdmin: CSRF vulnerability can be used to deceive users into performing arbitrary database operations

Bug 1532951 (CVE-2017-1000499) - CVE-2017-1000499 phpMyAdmin: CSRF vulnerability can be used to deceive users into performing arbitrary database operations

Summary: CVE-2017-1000499 phpMyAdmin: CSRF vulnerability can be used to deceive users ...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	CVE-2017-1000499
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1532952 1532953 1532954
Blocks:	1696272
TreeView+	depends on / blocked

Reported:	2018-01-10 05:14 UTC by Sam Fowler
Modified:	2020-05-20 21:16 UTC (History)
CC List:	8 users (show)
Fixed In Version:	phpMyAdmin 4.7.7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-05-20 21:16:59 UTC
Embargoed:

Attachments	(Terms of Use)

Description Sam Fowler 2018-01-10 05:14:44 UTC

phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.

References:
https://nvd.nist.gov/vuln/detail/CVE-2017-1000499
https://www.phpmyadmin.net/security/PMASA-2017-9/
http://cyberworldmirror.com/vulnerability-phpmyadmin-lets-attacker-perform-drop-table-single-click/
https://github.com/phpmyadmin/phpmyadmin/commit/edd929216ade9f7c150a262ba3db44db0fed0e1b
https://github.com/phpmyadmin/phpmyadmin/commit/72f109a99c82b14c07dcb19946ba9b76efc32a1b

Comment 1 Sam Fowler 2018-01-10 05:15:22 UTC

Created phpMyAdmin tracking bugs for this issue:

Affects: epel-all [bug 1532952]
Affects: fedora-all [bug 1532954]
Affects: openshift-1 [bug 1532953]

Comment 2 Robert Scheck 2018-05-26 18:33:44 UTC

Closing as per https://www.phpmyadmin.net/security/PMASA-2017-9/:
Unaffected Versions: Versions older than 4.7.0 are not affected.

Comment 3 Robert Scheck 2018-05-26 18:34:23 UTC

Sorry, comment #2 was meant to be posted in bug 1532952. Reopening this one.

Comment 4 Product Security DevOps Team 2020-05-20 21:16:59 UTC

This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Note You need to log in before you can comment on or make changes to this bug.