Cybersecurity Vulnerability

Thanks for the post, @jmiamaral !

I looked into the 3 mentioned here and do not see them in our incident database or docs at all.  Note that these are all 10+ years old, though I don’t see them referenced in our databases at all.

CVE-2011-2505

Libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a "remote variable manipulation vulnerability."

CVE-2011-2506

setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.

CVE-2010-3065

The default session serializer in PHP 5.2 through 5.2.13 and 5.3 through 5.3.2 does not properly handle the PS_UNDEF_MARKER marker, which allows context-dependent attackers to modify arbitrary session variables via a crafted session variable name.

@Mike Struening  so you think this is not an issue at all, since they are all  +10 years old?

@Onno van den Berg im on 24.43

@jmiamaral any update?