Miggo Logo

CVE-2016-2041:
phpMyAdmin Unsafe comparison of XSRF/CSRF token

7.5

CVSS Score
3.0

Basic Information

EPSS Score
0.75948%
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer>= 4.0, < 4.0.10.134.0.10.13
phpmyadmin/phpmyadmincomposer>= 4.4, < 4.4.15.34.4.15.3
phpmyadmin/phpmyadmincomposer>= 4.5, < 4.5.44.5.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from a non-constant-time comparison between the stored CSRF token ($_SESSION['PMA_token']) and the user-provided token ($_REQUEST['token']) using the '!=' operator in libraries/common.inc.php. This comparison leaks timing information, enabling attackers to infer token values. The patch replaced this comparison with hash_equals(), a constant-time function. While the vulnerable code is not inside a named function (it occurs in the global script flow), the specific line in common.inc.php is the root cause. The entry is structured to highlight the file and context since no named function encapsulates the vulnerable logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

li*r*ri*s/*ommon.in*.p*p in p*pMy**min *.*.x ***or* *.*.**.**, *.*.x ***or* *.*.**.*, *n* *.*.x ***or* *.*.* *o*s not us* * *onst*nt-tim* *l*orit*m *or *omp*rin* *SR* tok*ns, w*i** m*k*s it **si*r *or r*mot* *tt**k*rs to *yp*ss int*n*** ****ss r*stri

Reasoning

T** vuln*r**ility st*ms *rom * non-*onst*nt-tim* *omp*rison **tw**n t** stor** *SR* tok*n ($_S*SSION['PM*_tok*n']) *n* t** us*r-provi*** tok*n ($_R*QU*ST['tok*n']) usin* t** '!=' op*r*tor in li*r*ri*s/*ommon.in*.p*p. T*is *omp*rison l**ks timin* in*o