[3.2] phpmyadmin: Bypassing the reCaptcha test (CVE-2015-6830)
libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin
4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1
allows remote attackers to bypass a multiple-reCaptcha protection
mechanism against brute-force credential
guessing by providing a correct response to a single reCaptcha.
Upgrade to phpMyAdmin 4.3.13.2 or newer, or 4.4.14.1 or newer.
References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6830
https://bugzilla.redhat.com/show\_bug.cgi?id=1261813
https://www.phpmyadmin.net/security/PMASA-2015-4/
Upstream patches:
Fix for 4.3:
https://github.com/phpmyadmin/phpmyadmin/commit/0314e67900f01410bc8c81c58a40dc0515e3c91d
Fix for 4.4:
https://github.com/phpmyadmin/phpmyadmin/commit/785f4e2711848eb8945894199d5870253a88584e
(from redmine: issue id 4740, created on 2015-10-06, closed on 2015-10-14)
- Relations:
- parent #4739 (closed)
- Changesets:
- Revision c2bfd707 by Natanael Copa on 2015-10-14T08:06:58Z:
main/phpmyadmin: security upgrade to 4.4.15 (CVE-2015-6830)
ref #4739
fixes #4740