| Name | CVE-2016-2039 |
| Description | libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-406-1, DLA-481-1, DSA-3627-1 |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| phpmyadmin (PTS) | jessie, jessie (lts) | 4:4.2.12-2+deb8u12 | fixed |
| stretch (security) | 4:4.6.6-4+deb9u2 | fixed |
| stretch (lts), stretch | 4:4.6.6-4+deb9u3 | fixed |
| bullseye | 4:5.0.4+dfsg2-2+deb11u1 | fixed |
| bookworm | 4:5.2.1+dfsg-1 | fixed |
| sid, trixie | 4:5.2.1+dfsg-4 | fixed |
The information below is based on the following data on fixed versions.
Notes
squeeze patch was actually incorrect and probably not functional: libraries/phpseclib/Crypt/Random.php needs some engine (e.g. AES) to work
https://www.phpmyadmin.net/security/PMASA-2016-2/
https://github.com/phpmyadmin/phpmyadmin/commit/6fe54dfa000dd6f43f237e859781fad7111ac1bd is not sufficient: one needs 29b297f to import more bits from phpseclib or simply import all of phpseclib.
such a fix needs to avoid introducing a new vulnerability as well, upstream introduced CVE-2016-2042 as part of this