Fluid Attacks Database

Description

phpMyAdmin Unsafe comparison of XSRF/CSRF token libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpmyadmin/phpmyadmin	>=4.0 <4.0.10.13 \|\| >=4.4 <4.4.15.3 \|\| >=4.5 <4.5.4	4.0.10.13, 4.4.15.3, 4.5.4
debian 13	phpmyadmin	>=0 <4:4.5.4-1	4:4.5.4-1
debian 11	phpmyadmin	>=0 <4:4.5.4-1	4:4.5.4-1
debian 12	phpmyadmin	>=0 <4:4.5.4-1	4:4.5.4-1

Aliases

1. CVE-2016-20412. NVD-2016-20413. OSV-2016-20414. OSV-DEBIAN-2016-20415. GCVE-2016-20416. SECURITY-TRACKER-CVE-2016-2041

References

1. https://github.com/phpmyadmin/phpmyadmin/commit/ec0e88e37ef30a66eada1c072953f4ec385a3e492. http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176483.html3. http://lists.fedoraproject.org/pipermail/package-announce/2016-February/176739.html4. http://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html5. http://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html6. http://www.debian.org/security/2016/dsa-36277. http://www.phpmyadmin.net/home_page/security/PMASA-2016-5.php