phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Phpmyadmin | Phpmyadmin | 4.6.0 (including) | 4.6.0 (including) |
| Phpmyadmin | Phpmyadmin | 4.6.0-alpha1 (including) | 4.6.0-alpha1 (including) |
| Phpmyadmin | Phpmyadmin | 4.6.0-rc1 (including) | 4.6.0-rc1 (including) |
| Phpmyadmin | Phpmyadmin | 4.6.0-rc2 (including) | 4.6.0-rc2 (including) |
| Phpmyadmin | Phpmyadmin | 4.6.1 (including) | 4.6.1 (including) |
| Phpmyadmin | Phpmyadmin | 4.6.2 (including) | 4.6.2 (including) |
| Phpmyadmin | Ubuntu | esm-apps/xenial | * |
| Phpmyadmin | Ubuntu | esm-infra-legacy/trusty | * |
| Phpmyadmin | Ubuntu | precise | * |
| Phpmyadmin | Ubuntu | trusty | * |
| Phpmyadmin | Ubuntu | trusty/esm | * |
| Phpmyadmin | Ubuntu | upstream | * |
| Phpmyadmin | Ubuntu | wily | * |
| Phpmyadmin | Ubuntu | xenial | * |
References
- https://github.com/phpmyadmin/phpmyadmin/commit/27caf5b46bd0890e576fea7bd7b166a0639fdf68
- https://security.gentoo.org/glsa/201701-32
- https://www.phpmyadmin.net/security/PMASA-2016-18/
- https://github.com/phpmyadmin/phpmyadmin/commit/27caf5b46bd0890e576fea7bd7b166a0639fdf68
- https://security.gentoo.org/glsa/201701-32
- https://www.phpmyadmin.net/security/PMASA-2016-18/