Vulnerability Name:

CVE-2006-5116 (CCN-29329)

Assigned:2006-09-28
Published:2006-09-28
Updated:2018-10-17
Summary:Multiple cross-site request forgery (CSRF) vulnerabilities in phpMyAdmin before 2.9.1-rc1 allow remote attackers to perform unauthorized actions as another user by (1) directly setting a token in the URL though dynamic variable evaluation and (2) unsetting arbitrary variables via the _REQUEST array, related to (a) libraries/common.lib.php, (b) session.inc.php, and (c) url_generating.lib.php.
Note: the PHP unset function vector is covered by CVE-2006-3017.
CVSS v3 Severity:3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.1 Medium (CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P)
3.8 Low (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N)
1.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-Other
Vulnerability Consequences:Other
References:Source: VIM
Type: UNKNOWN
20061003 Concerning CSRF in phpMyAdmin 2.9.0.1 (CVE-2006-5116)

Source: MITRE
Type: CNA
CVE-2006-5116

Source: SUSE
Type: UNKNOWN
SUSE-SA:2006:071

Source: CONFIRM
Type: Patch
http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.9.1-rc1.tar.gz?download

Source: CCN
Type: SA22126
phpMyAdmin Cross-Site Request Forgery Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
22126

Source: SECUNIA
Type: UNKNOWN
22781

Source: SECUNIA
Type: UNKNOWN
23086

Source: SREASON
Type: UNKNOWN
1677

Source: DEBIAN
Type: UNKNOWN
DSA-1207

Source: DEBIAN
Type: DSA-1207
phpmyadmin -- several vulnerabilities

Source: MISC
Type: UNKNOWN
http://www.hardened-php.net/advisory_072006.130.html

Source: CCN
Type: phpMyAdmin Web site
phpMyAdmin | MySQL Database Administration Tool | www.phpmyadmin.net

Source: CONFIRM
Type: UNKNOWN
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-5

Source: BUGTRAQ
Type: UNKNOWN
20061001 Advisory 07/2006: phpMyAdmin Multiple CSRF Vulnerabilities

Source: BID
Type: Patch
20253

Source: CCN
Type: BID-20253
PHPMyAdmin Multiple Cross-Site Scripting Vulnerabilities

Source: XF
Type: UNKNOWN
phpmyadmin-multiple-csrf(29301)

Source: XF
Type: UNKNOWN
phpmyadmin-multiple-unspecified(29329)

Source: SUSE
Type: SUSE-SA:2006:071
phpMyAdmin security upgrade to 2.9.1.1

Vulnerable Configuration:Configuration 1:
  • cpe:/a:phpmyadmin:phpmyadmin:2.8.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:2.8.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:2.8.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:2.8.1:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:2.8.1_dev:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:2.8.3:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:2.8.4:*:*:*:*:*:*:*
  • OR cpe:/a:phpmyadmin:phpmyadmin:2.9.0_dev:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20065116
    V
    		CVE-2006-5116
    2015-11-16
    oval:org.debian:def:1207
    V
    		several vulnerabilities
    2013-01-21
    BACK
    phpmyadmin phpmyadmin 2.8.0.1
    phpmyadmin phpmyadmin 2.8.0.2
    phpmyadmin phpmyadmin 2.8.0.3
    phpmyadmin phpmyadmin 2.8.1
    phpmyadmin phpmyadmin 2.8.1_dev
    phpmyadmin phpmyadmin 2.8.3
    phpmyadmin phpmyadmin 2.8.4
    phpmyadmin phpmyadmin 2.9.0_dev