Vigil@nce - phpMyAdmin: information disclosure via BREACH
March 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use the BREACH attack on phpMyAdmin, in order to
obtain a cookie to perform operations on the service.
Impacted products: phpMyAdmin
Severity: 1/4
Creation date: 05/03/2015
DESCRIPTION OF THE VULNERABILITY
The phpMyAdmin product offers a web service with TLS.
However, an attacker can use a TLS BREACH attack
(VIGILANCE-VUL-13198) on language messages, in order to guess the
CSRF session cookie.
An attacker can therefore use the BREACH attack on phpMyAdmin, in
order to obtain a cookie to perform operations on the service.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/phpMyAdmin-information-disclosure-via-BREACH-16316