[Phpmyadmin-devel] phpMyAdmin 2.11.5 and security announcement
Sebastian Mendel
lists at sebastianmendel.de
Mon Mar 3 15:20:45 CET 2008
Marc Delisle schrieb:
> Welcome to phpMyAdmin 2.11.5, a bugfix-only version containing a
> security fix.
>
> Security announcement:
> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
>
> The release notes and download info are available on
> http://www.phpmyadmin.net.
>
> Marc Delisle, for the team.
a big german IT news site (heise.de) has reported about our latest release,
but find fault that the description is unclear what exactly the problem is
possible we should add the term used by stefan esser: "Delayed Cross Site
Request Forgery"
and explain: another application could set a cookie for the root path '/'
which could override phpMyAdmins _GET or _POST params, f.e. a cookie called
sql_query would always overwrite the user submitted sql_query, caused by the
fact PHP imports (be dafault) first GET than POST than COOKIE
--
Sebastian
More information about the Developers
mailing list