CVE-2006-5116: CSRF
First published: Mon Oct 02 2006(Updated: )
Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin before 2.9.1-rc1 allow remote attackers to perform unauthorized actions as another user by (1) directly setting a token in the URL though dynamic variable evaluation and (2) unsetting arbitrary variables via the _REQUEST array, related to (a) libraries/common.lib.php, (b) session.inc.php, and (c) url_generating.lib.php. NOTE: the PHP unset function vector is covered by CVE-2006-3017.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| phpMyAdmin phpMyAdmin | =2.8.1_dev | |
| phpMyAdmin phpMyAdmin | =2.8.3 | |
| phpMyAdmin phpMyAdmin | =2.8.0.2 | |
| phpMyAdmin phpMyAdmin | =2.9.0_dev | |
| phpMyAdmin phpMyAdmin | =2.8.0.1 | |
| phpMyAdmin phpMyAdmin | =2.8.1 | |
| phpMyAdmin phpMyAdmin | =2.8.0.3 | |
| phpMyAdmin phpMyAdmin | =2.8.4 | |
| debian/phpmyadmin | 4:5.0.4+dfsg2-2+deb11u1 4:5.2.1+dfsg-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.9.1-rc1.tar.gz?download
- http://www.securityfocus.com/bid/20253
- http://secunia.com/advisories/22126
- http://attrition.org/pipermail/vim/2006-October/001067.html
- http://www.hardened-php.net/advisory_072006.130.html
- http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5
- http://www.debian.org/security/2006/dsa-1207
- http://secunia.com/advisories/22781
- http://lists.suse.com/archive/suse-security-announce/2006-Nov/0010.html
- http://secunia.com/advisories/23086
- http://securityreason.com/securityalert/1677
- https://exchange.xforce.ibmcloud.com/vulnerabilities/29301
- http://www.securityfocus.com/archive/1/447491/100/0/threaded
- https://www.phpmyadmin.net/security/PMASA-2006-5/
- https://github.com/phpmyadmin/phpmyadmin/commit/b3906852bbcb5c4e116cc20e214b7f6793ca97aa
- https://github.com/phpmyadmin/phpmyadmin/commit/ac2f606a21d474596a4b2cada961385439cbc8f0
- https://github.com/phpmyadmin/phpmyadmin/commit/50319d634c620044a0542495939cd68530f00259
- https://security-tracker.debian.org/tracker/CVE-2006-5116
- collector/nvd-historical
- vendor/phpmyadmin
- product/phpmyadmin
- canonical/phpmyadmin phpmyadmin
- collector/security-tracker-debian
- collector/nvd-index
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/description
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/remedy
- agent/tags
- collector/mitre-cve
- source/MITRE
- version/phpmyadmin phpmyadmin/2.8.1_dev
- version/phpmyadmin phpmyadmin/2.8.3
- version/phpmyadmin phpmyadmin/2.8.0.2
- version/phpmyadmin phpmyadmin/2.9.0_dev
- version/phpmyadmin phpmyadmin/2.8.0.1
- version/phpmyadmin phpmyadmin/2.8.1
- version/phpmyadmin phpmyadmin/2.8.0.3
- version/phpmyadmin phpmyadmin/2.8.4
- package-manager/debian