Hi Todd,
Thanks for reaching out to us. You're correct that the attack vector
here is quite small, and as such when it was first reported we decided
to fix it as part of our regular bugfixing process, targeting
phpMyAdmin 4.9.1. The fix is actually already completed in a private
way where we track security patches, just waiting for me to release
4.9.1.
There was indeed a report to our private security list, so that's why
you didn't see it referenced in the public archives.
Thanks for the kind words, we always love hearing from our users. We
also appreciate you calling our attention to this publication.
Isaac
On Wed, Sep 18, 2019 at 6:57 AM Todd Reed <tdreed(a)abrimos.com> wrote:
It “seems" it would be an easy fix. According to the original poster it says he
alerted the development team.
I searched the archive and maybe he private messaged a couple developers?
https://www.cvedetails.com/cve/CVE-2019-12922/
https://seclists.org/fulldisclosure/2019/Sep/23
The bug would have very low probability of exploit. You would have to be logged into an
existing phpmyadmin session and simultaneously trick the user to click on a link while in
the setup stage.
Thought I would post here that the bug is publicly posted.
Thanks,
Todd
P.S. Enjoy phpmyadmin. Been using it off and on over a decade.
_______________________________________________
Developers mailing list
Developers(a)phpmyadmin.net
https://lists.phpmyadmin.net/mailman/listinfo/developers