Hi Todd,
Thanks for reaching out to us. You're correct that the attack vector here is quite small, and as such when it was first reported we decided to fix it as part of our regular bugfixing process, targeting phpMyAdmin 4.9.1. The fix is actually already completed in a private way where we track security patches, just waiting for me to release 4.9.1.
There was indeed a report to our private security list, so that's why you didn't see it referenced in the public archives.
Thanks for the kind words, we always love hearing from our users. We also appreciate you calling our attention to this publication.
Isaac
On Wed, Sep 18, 2019 at 6:57 AM Todd Reed tdreed@abrimos.com wrote:
It “seems" it would be an easy fix. According to the original poster it says he alerted the development team.
I searched the archive and maybe he private messaged a couple developers?
https://www.cvedetails.com/cve/CVE-2019-12922/
https://seclists.org/fulldisclosure/2019/Sep/23
The bug would have very low probability of exploit. You would have to be logged into an existing phpmyadmin session and simultaneously trick the user to click on a link while in the setup stage.
Thought I would post here that the bug is publicly posted.
Thanks, Todd
P.S. Enjoy phpmyadmin. Been using it off and on over a decade.
Developers mailing list Developers@phpmyadmin.net https://lists.phpmyadmin.net/mailman/listinfo/developers