[Phpmyadmin-devel] phpMyAdmin 2.11.5 and security announcement

Sebastian Mendel lists at sebastianmendel.de
Mon Mar 3 15:20:45 CET 2008

Marc Delisle schrieb:
> Welcome to phpMyAdmin 2.11.5, a bugfix-only version containing a 
> security fix.
> Security announcement: 
> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
> The release notes and download info are available on
> http://www.phpmyadmin.net.
> Marc Delisle, for the team.

a big german IT news site (heise.de) has reported about our latest release, 
but find fault that the description is unclear what exactly the problem is

possible we should add the term used by stefan esser: "Delayed Cross Site 
Request Forgery"

and explain: another application could set a cookie for the root path '/' 
which could override phpMyAdmins _GET or _POST params, f.e. a cookie called 
sql_query would always overwrite the user submitted sql_query, caused by the 
fact PHP imports (be dafault) first GET than POST than COOKIE


More information about the Developers mailing list