PHPDeveloper: PHP News, Views and Community

Subscribe

@phpdeveloper.org

News Archive

Community News: Latest PEAR Releases (03.18.2024)

Community News: Latest PEAR Releases (03.11.2024)

Community News: Latest PECL Releases (03.05.2024)

Community News: Latest PECL Releases (02.27.2024)

Community News: Latest PEAR Releases (02.26.2024)

Community News: Latest PECL Releases (02.20.2024)

Community News: Latest PECL Releases (02.13.2024)

Community News: Latest PEAR Releases (02.12.2024)

Community News: Latest PECL Releases (02.06.2024)

Community News: Latest PECL Releases (01.30.2024)

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Hardened-PHP Project:
Advisory - phpMyAdmin Multiple CSRF Vulnerabilities

byChris Cornutt Oct 02, 2006 @ 14:51:00

The Hardened-PHP Project has issued another advisory today, this time effecting the popular database administration package phpMyAdmin.

During an audit of phpMyAdmin's protection against CSRF: Cross Site Request Forgeries we discovered that there were multiple ways to bypass the protection.

The failure of phpMyAdmin's CSRF protection obviously means that a potential attacker can use CSRF attacks to trick the browser of a phpMyAdmin user to execute any kind of SQL queries on the victims database server.

The advisory mentions the source of the problem - a random token that is in the user's session that could be exploited to gain unauthorized access to an account. Their recommendation is to update to the latest version of phpMyAdmin (2.9.0.1 as of the time of this post) to help resolve the issue.