[phpMyAdmin Developers] Bug Posted by Another User
Isaac Bennetch
bennetch at gmail.com
Thu Sep 19 13:11:38 CEST 2019
Hi Todd,
Thanks for reaching out to us. You're correct that the attack vector
here is quite small, and as such when it was first reported we decided
to fix it as part of our regular bugfixing process, targeting
phpMyAdmin 4.9.1. The fix is actually already completed in a private
way where we track security patches, just waiting for me to release
4.9.1.
There was indeed a report to our private security list, so that's why
you didn't see it referenced in the public archives.
Thanks for the kind words, we always love hearing from our users. We
also appreciate you calling our attention to this publication.
Isaac
On Wed, Sep 18, 2019 at 6:57 AM Todd Reed <tdreed at abrimos.com> wrote:
>
> It “seems" it would be an easy fix. According to the original poster it says he alerted the development team.
>
> I searched the archive and maybe he private messaged a couple developers?
>
> https://www.cvedetails.com/cve/CVE-2019-12922/
>
> https://seclists.org/fulldisclosure/2019/Sep/23
>
> The bug would have very low probability of exploit. You would have to be logged into an existing phpmyadmin session and simultaneously trick the user to click on a link while in the setup stage.
>
> Thought I would post here that the bug is publicly posted.
>
> Thanks,
> Todd
>
> P.S. Enjoy phpmyadmin. Been using it off and on over a decade.
>
> _______________________________________________
> Developers mailing list
> Developers at phpmyadmin.net
> https://lists.phpmyadmin.net/mailman/listinfo/developers
More information about the Developers
mailing list