Bug 930992 (CVE-2015-3902) - VUL-1: CVE-2015-3902: phpMyAdmin: XSRF/CSRF vulnerability in phpMyAdmin setup (PMASA-2015-2)
Summary: VUL-1: CVE-2015-3902: phpMyAdmin: XSRF/CSRF vulnerability in phpMyAdmin setup...
Status: RESOLVED FIXED
Alias: CVE-2015-3902
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P4 - Low : Minor
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/116792/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-15 08:14 UTC by Andreas Stieger
Modified: 2015-07-06 11:31 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-05-15 08:14:18 UTC 
http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php

Announcement-ID: PMASA-2015-2
Date: 2015-05-13
Summary: XSRF/CSRF vulnerability in phpMyAdmin setup.
Description: By deceiving a user to click on a crafted URL, it is possible to alter the configuration file being generated with phpMyAdmin setup.

Severity: We consider this vulnerability to be non critical.

Mitigation factor: This vulnerability only affects the configuration file generation process and does not affect the effective configuration file. Moreover, the configuration file being generated is at risk only during the period when it's writable.

Affected Versions: Versions 4.0.x (prior to 4.0.10.10), 4.2.x (prior to 4.2.13.3), 4.3.x (prior to 4.3.13.1) and 4.4.x (prior to 4.4.6.1) are affected.

Solution: Upgrade to phpMyAdmin 4.0.10.10 or newer, or 4.2.13.3 or newer, or 4.3.13.1 or newer, or 4.4.6.1 or newer, or apply the patch listed below.
References

Thanks to Inti De Ceukelaire (http://ceukelai.re) for reporting this vulnerability.

Assigned CVE ids: CVE-2015-3902

CWE ids: CWE-661 CWE-352
Patches

The following commits have been made to fix this issue:

    ee92eb9bab8e2d546756c1d4aec81ec7c8e44b83

The following commits have been made on the 4.3 branch to fix this issue:

    9817bd4030de949ba9ce4cd1b3f047e22d8f66bd

The following commits have been made on the 4.2 branch to fix this issue:

    c903ecf6751684b6af2d079c78b1f0d09ea2bd47

The following commits have been made on the 4.0 branch to fix this issue:

    fea1d39fef540afa4105c6fbcc849f7e516f3da8


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1221580
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3902
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3902.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3902


Already fixed in server:php:applications / phpMyAdmin
Update for 13.1 and 13.2 pending. Eric if you are interested you can submit this as a maintenance update, we can assist you, or I can handle the update for the distribution.
Comment 1 Swamp Workflow Management 2015-05-15 22:00:13 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-06-26 14:44:22 UTC 
taking for a security maintenance update
Comment 3 Bernhard Wiedemann 2015-06-26 15:00:14 UTC 
This is an autogenerated message for OBS integration:
This bug (930992) was mentioned in
https://build.opensuse.org/request/show/313850 13.2+13.1 / phpMyAdmin
Comment 4 Swamp Workflow Management 2015-07-04 10:06:11 UTC 
openSUSE-SU-2015:1191-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 920773,930992,930993
CVE References: CVE-2015-2206,CVE-2015-3902,CVE-2015-3903
Sources used:
openSUSE 13.2 (src):    phpMyAdmin-4.2.13.3-11.1
openSUSE 13.1 (src):    phpMyAdmin-4.2.13.3-31.1
Comment 5 Andreas Stieger 2015-07-06 11:31:21 UTC 
released