[Phpmyadmin-devel] phpMyAdmin 2.11.5 and security announcement
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Mon Mar 3 15:24:31 CET 2008
Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>> Welcome to phpMyAdmin 2.11.5, a bugfix-only version containing a
>> security fix.
>>
>> Security announcement:
>> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
>>
>> The release notes and download info are available on
>> http://www.phpmyadmin.net.
>>
>> Marc Delisle, for the team.
>
> a big german IT news site (heise.de) has reported about our latest release,
> but find fault that the description is unclear what exactly the problem is
>
> possible we should add the term used by stefan esser: "Delayed Cross Site
> Request Forgery"
>
> and explain: another application could set a cookie for the root path '/'
> which could override phpMyAdmins _GET or _POST params, f.e. a cookie called
> sql_query would always overwrite the user submitted sql_query, caused by the
> fact PHP imports (be dafault) first GET than POST than COOKIE
>
In such security announcements, it's not always clear what is better for
the whole community: provide a quasi-exploit or stay vague... I chose to
stay vague.
More information about the Developers
mailing list