==================================================================== CERT-Renater Note d'Information No. 2017/VULN018 _____________________________________________________________________ DATE : 24/01/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running phpmyadmin versions 4.6.x, 4.4.x, 4.0.x prior to 4.6.6, 4.4.15.10, 4.0.10.19. ===================================================================== https://www.phpmyadmin.net/security/PMASA-2017-1/ ____________________________________________________________________ PMASA-2017-1 Announcement-ID: PMASA-2017-1 Date: 2017-01-24 Summary Open redirect Description It was possible to trick phpMyAdmin to redirect to insecure using special request path. Severity We consider this vulnerability to be non critical. Affected Versions All 4.6.x versions (prior to 4.6.6), 4.4.x versions (prior to 4.4.15.10), and 4.0.x versions (prior to 4.0.10.19) are affected Solution Upgrade to phpMyAdmin 4.6.6, 4.4.15.10, or 4.0.10.19 or newer or apply patch listed below. References Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability. Assigned CVE ids: Not yet assigned CWE ids: CWE-661 Patches The following commits have been made on the 4.6 branch to fix this issue: 4c84070 e37bf40 The following commits have been made on the 4.4 branch to fix this issue: 1e5c0ae The following commits have been made on the 4.0 branch to fix this issue: 7fe97a1 More information For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net. ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================