Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2016-9851

CVE-2016-9851:
phpMyAdmin Bypass logout timeout

5.3

CVSS Score

Basic Information

CVE ID
CVE-2016-9851
GHSA ID
GHSA-r2vw-p77f-vc27
EPSS Score
-
CWE
CWE-384
Published
5/17/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer>= 4.6, < 4.6.54.6.5
phpmyadmin/phpmyadmincomposer>= 4.4, < 4.4.15.94.4.15.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CWE-384) involves session fixation/expiration flaws. phpMyAdmin's session management in affected versions would have relied on functions like PMA_checkTimeout to validate session activity against timeout thresholds. The patch commits (8ee12d3/fbad6b9) likely added parameter validation in this function to prevent crafted requests from resetting session timestamps illegitimately. The lack of proper input sanitization in this critical session timeout check function would directly enable the described bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in p*pMy**min. Wit* * *r**t** r*qu*st p*r*m*t*r v*lu* it is possi*l* to *yp*ss t** lo*out tim*out. *ll *.*.x v*rsions (prior to *.*.*), *n* *.*.x v*rsions (prior to *.*.**.*) *r* *****t**.

Reasoning

T** vuln*r**ility (*W*-***) involv*s s*ssion *ix*tion/*xpir*tion *l*ws. p*pMy**min's s*ssion m*n***m*nt in *****t** v*rsions woul* **v* r*li** on *un*tions lik* PM*_****kTim*out to v*li**t* s*ssion **tivity ***inst tim*out t*r*s*ol*s. T** p*t** *ommi