[phpMyAdmin Developers] Question regarding fix of CVE 2020-26935 - SQL Injection via SearchController

studentProject studentProject at protonmail.com
Thu Dec 17 14:43:49 CET 2020


Hello,

we are two students from the university of applied sciences Hof in Germany and for a module about IT-security we are researching the vulnerability marked with CVE 2020-26935, which describes a possible SQLi attack via SearchController.

The issue has already been documented by phpmyadmin:
https://www.phpmyadmin.net/security/PMASA-2020-6/

And the responsible fix has also been linked as a git commit in the link above:
https://github.com/phpmyadmin/phpmyadmin/commit/d09ab9bc9d634ad08b866d42bb8c4109869d38d2

We are writing because we do not fully understand in which way the commit in question fixes any possible SQLi attacks mentioned in the CVE. As far as our research goes, we have figured out that the where_clause gets signed with an HMAC signature, which doesn't necessarily provide security against said attacks.

Would you mind elaborating how the commit mentioned in the issue linked above fixes the CVE (2020-26935) in question? We are clueless considering the given commit doesn't seem to clear up the question for us. Is the commit linked in the PMASA-2020-6 note perhaps wrong? Does the fix lie in another method/class or even in the frontend instead?

Regards
MKrebs & JHiller
Students @ HAW Hof
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.phpmyadmin.net/pipermail/developers/attachments/20201217/99247bac/attachment.html>


More information about the Developers mailing list