PMASA-2015-4

Announcement-ID: PMASA-2015-4

Date: 2015-09-08

Summary

Vulnerability that allows bypassing the reCaptcha test

Description

This vulnerability allows to complete the reCaptcha test and subsequently perform a brute force attack to guess user credentials without having to complete further reCaptcha tests.

Severity

We consider this vulnerability to be non critical since reCaptcha is an additional opt-in security measure.

Mitigation factor

This vulnerability only affect installations with reCaptcha test enabled.

Affected Versions

Versions 4.3.x (prior to 4.3.13.2) and 4.4.x (prior to 4.4.14.1) are affected.

Solution

Upgrade to phpMyAdmin 4.3.13.2 or newer, or 4.4.14.1 or newer or apply patch listed below.

References

Assigned CVE ids: CVE-2015-6830

CWE ids: CWE-661 CWE-307

Patches

The following commits have been made on the 4.3 branch to fix this issue:

The following commits have been made on the 4.4 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements