Debian DLA-406-1 : phpmyadmin security update
Medium Nessus Plugin ID 88492
SynopsisThe remote Debian host is missing a security update.
DescriptionSeveral flaws were discovered in the CSRF authentication code of phpMyAdmin.
The XSRF/CSRF token is generated with a weak algorithm using functions that do not return cryptographically secure values.
The comparison of the XSRF/CSRF token parameter with the value saved in the session is vulnerable to timing attacks. Moreover, the comparison could be bypassed if the XSRF/CSRF token matches a particular pattern.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
SolutionUpgrade the affected phpmyadmin package.