Cookie Encryption Vulnerability in phpMyAdmin
CVE-2016-6606
8.1HIGH
What is CVE-2016-6606?
A flaw exists in the cookie encryption mechanism within phpMyAdmin that makes it susceptible to padding oracle attacks. This vulnerability enables an attacker with access to a user's browser cookie file to decrypt sensitive information, namely the username and password. A significant concern arises from the re-use of the same initialization vector (IV) for hashing the username and password together in the phpMyAdmin cookie. If a user's password matches their username, an attacker who examines the cookie can easily deduce this correlation, even if they cannot directly decode the hash. Affected versions include phpMyAdmin 4.6.x (before 4.6.4), 4.4.x (before 4.4.15.8), and 4.0.x (before 4.0.10.17).