Moderate severityNVD Advisory· Published Sep 14, 2015· Updated May 6, 2026
CVE-2015-6830
CVE-2015-6830
Description
libraries/plugins/auth/AuthenticationCookie.class.php in phpMyAdmin 4.3.x before 4.3.13.2 and 4.4.x before 4.4.14.1 allows remote attackers to bypass a multiple-reCaptcha protection mechanism against brute-force credential guessing by providing a correct response to a single reCaptcha.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.3.0, < 4.3.13.2 | 4.3.13.2 |
phpmyadmin/phpmyadminPackagist | >= 4.4.0, < 4.4.14.1 | 4.4.14.1 |
Affected products
31cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.0:*:*:*:*:*:*:*+ 30 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*
Patches
20314e67900f0Fix reCaptcha bypass
3 files changed · +14 −37
ChangeLog+3 −0 modified@@ -1,6 +1,9 @@ phpMyAdmin - ChangeLog ====================== +4.3.13.2 (Not yet released) +- bug [security] reCaptcha bypass + 4.3.13.1 (2015-05-13) - bug #4899 [security] CSRF vulnerability in setup - bug #4900 [security] Vulnerability allowing man-in-the-middle attack
libraries/plugins/auth/AuthenticationCookie.class.php+1 −28 modified@@ -218,18 +218,9 @@ public function auth() . $GLOBALS['server'] . '" />'; } // end if (server choice) - // We already have one correct captcha. - $skip = false; - if ( isset($_SESSION['last_valid_captcha']) - && $_SESSION['last_valid_captcha'] - ) { - $skip = true; - } - // Add captcha input field if reCaptcha is enabled if ( !empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) && !empty($GLOBALS['cfg']['CaptchaLoginPublicKey']) - && !$skip ) { // If enabled show captcha to the user on the login screen. echo '<script type="text/javascript"> @@ -349,18 +340,9 @@ public function authCheck() return false; } - // We already have one correct captcha. - $skip = false; - if ( isset($_SESSION['last_valid_captcha']) - && $_SESSION['last_valid_captcha'] - ) { - $skip = true; - } - // Verify Captcha if it is required. if ( !empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) && !empty($GLOBALS['cfg']['CaptchaLoginPublicKey']) - && !$skip ) { if ( !empty($_POST["recaptcha_challenge_field"]) && !empty($_POST["recaptcha_response_field"]) @@ -378,22 +360,15 @@ public function authCheck() // Check if the captcha entered is valid, if not stop the login. if ( !$resp->is_valid ) { $conn_error = __('Entered captcha is wrong, try again!'); - $_SESSION['last_valid_captcha'] = false; return false; - } else { - $_SESSION['last_valid_captcha'] = true; } } elseif (! empty($_POST["recaptcha_challenge_field"]) && empty($_POST["recaptcha_response_field"]) ) { $conn_error = __('Please enter correct captcha!'); return false; } else { - if (! isset($_SESSION['last_valid_captcha']) - || ! $_SESSION['last_valid_captcha'] - ) { - return false; - } + return false; } } @@ -406,8 +381,6 @@ public function authCheck() if (! defined('TESTSUITE')) { session_destroy(); - // $_SESSION array is not immediately emptied - $_SESSION['last_valid_captcha'] = false; } // -> delete password cookie(s) if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
test/classes/plugin/auth/PMA_AuthenticationCookie_test.php+10 −9 modified@@ -186,7 +186,8 @@ public function testAuth() $GLOBALS['cfg']['Lang'] = 'en'; $GLOBALS['cfg']['AllowArbitraryServer'] = true; $GLOBALS['cfg']['Servers'] = array(1, 2); - $_SESSION['last_valid_captcha'] = true; + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; $GLOBALS['target'] = 'testTarget'; $GLOBALS['db'] = 'testDb'; $GLOBALS['table'] = 'testTable'; @@ -328,7 +329,6 @@ public function testAuth() $GLOBALS['cfg']['Lang'] = ''; $GLOBALS['cfg']['AllowArbitraryServer'] = false; $GLOBALS['cfg']['Servers'] = array(1); - $_SESSION['last_valid_captcha'] = false; $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey'; $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey'; $GLOBALS['server'] = 0; @@ -470,7 +470,6 @@ public function testAuthCheck() // case 2 - $_SESSION['last_valid_captcha'] = false; $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey'; $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey'; $_POST["recaptcha_challenge_field"] = 'captcha1'; @@ -487,7 +486,6 @@ public function testAuthCheck() // case 3 - $_SESSION['last_valid_captcha'] = false; $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey'; $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey'; $_POST["recaptcha_challenge_field"] = ''; @@ -532,7 +530,8 @@ public function testAuthCheck() // case 6 - $_SESSION['last_valid_captcha'] = true; + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; $_REQUEST['old_usr'] = ''; $_REQUEST['pma_username'] = 'testPMAUser'; $_REQUEST['pma_servername'] = 'testPMAServer'; @@ -662,8 +661,8 @@ public function testAuthCheckDecryptUser() $_COOKIE['pma_iv'] = base64_encode('testiv09testiv09'); $GLOBALS['cfg']['blowfish_secret'] = 'secret'; $_SESSION['last_access_time'] = ''; - $_SESSION['last_valid_captcha'] = true; - + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; // mock for blowfish function $this->object = $this->getMockBuilder('AuthenticationCookie') ->disableOriginalConstructor() @@ -700,7 +699,8 @@ public function testAuthCheckDecryptPassword() $_COOKIE['pmaPass-1'] = 'pmaPass1'; $_COOKIE['pma_iv'] = base64_encode('testiv09testiv09'); $GLOBALS['cfg']['blowfish_secret'] = 'secret'; - $_SESSION['last_valid_captcha'] = true; + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; $_SESSION['last_access_time'] = time() - 1000; $GLOBALS['cfg']['LoginCookieValidity'] = 1440; @@ -745,7 +745,8 @@ public function testAuthCheckAuthFails() $_COOKIE['pma_iv'] = base64_encode('testiv09testiv09'); $GLOBALS['cfg']['blowfish_secret'] = 'secret'; $_SESSION['last_access_time'] = 1; - $_SESSION['last_valid_captcha'] = true; + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; $GLOBALS['cfg']['LoginCookieValidity'] = 0; $_SESSION['last_access_time'] = -1; // mock for blowfish function
785f4e271184Fix reCaptcha bypass
3 files changed · +15 −36
ChangeLog+3 −0 modified@@ -1,6 +1,9 @@ phpMyAdmin - ChangeLog ====================== +4.4.14.1 (Not yet released) +- issue [security] reCaptcha bypass + 4.4.14.0 (2015-08-20) - issue #11367 Export after search, missing WHERE clause - issue #11380 Incomplete message after import
libraries/plugins/auth/AuthenticationCookie.class.php+2 −29 modified@@ -223,18 +223,9 @@ public function auth() . $GLOBALS['server'] . '" />'; } // end if (server choice) - // We already have one correct captcha. - $skip = false; - if ( isset($_SESSION['last_valid_captcha']) - && $_SESSION['last_valid_captcha'] - ) { - $skip = true; - } - // Add captcha input field if reCaptcha is enabled if ( !empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) && !empty($GLOBALS['cfg']['CaptchaLoginPublicKey']) - && !$skip ) { // If enabled show captcha to the user on the login screen. echo '<script src="https://www.google.com/recaptcha/api.js?hl=' @@ -336,8 +327,6 @@ public function authCheck() if (! defined('TESTSUITE')) { session_destroy(); - // $_SESSION array is not immediately emptied - $_SESSION['last_valid_captcha'] = false; } // -> delete password cookie(s) if ($GLOBALS['cfg']['LoginCookieDeleteAll']) { @@ -359,18 +348,9 @@ public function authCheck() if (! empty($_REQUEST['pma_username'])) { - // We already have one correct captcha. - $skip = false; - if (isset($_SESSION['last_valid_captcha']) - && $_SESSION['last_valid_captcha'] - ) { - $skip = true; - } - // Verify Captcha if it is required. if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey']) && ! empty($GLOBALS['cfg']['CaptchaLoginPublicKey']) - && ! $skip ) { if (! empty($_POST["g-recaptcha-response"])) { @@ -388,18 +368,11 @@ public function authCheck() // Check if the captcha entered is valid, if not stop the login. if ($resp == null || ! $resp->isSuccess()) { $conn_error = __('Entered captcha is wrong, try again!'); - $_SESSION['last_valid_captcha'] = false; return false; - } else { - $_SESSION['last_valid_captcha'] = true; } } else { - if (! isset($_SESSION['last_valid_captcha']) - || ! $_SESSION['last_valid_captcha'] - ) { - $conn_error = __('Please enter correct captcha!'); - return false; - } + $conn_error = __('Please enter correct captcha!'); + return false; } }
test/classes/plugin/auth/PMA_AuthenticationCookie_test.php+10 −7 modified@@ -186,7 +186,8 @@ public function testAuth() $GLOBALS['cfg']['Lang'] = 'en'; $GLOBALS['cfg']['AllowArbitraryServer'] = true; $GLOBALS['cfg']['Servers'] = array(1, 2); - $_SESSION['last_valid_captcha'] = true; + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; $GLOBALS['target'] = 'testTarget'; $GLOBALS['db'] = 'testDb'; $GLOBALS['table'] = 'testTable'; @@ -308,7 +309,6 @@ public function testAuth() $GLOBALS['cfg']['Lang'] = ''; $GLOBALS['cfg']['AllowArbitraryServer'] = false; $GLOBALS['cfg']['Servers'] = array(1); - $_SESSION['last_valid_captcha'] = false; $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey'; $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey'; $GLOBALS['server'] = 0; @@ -431,7 +431,6 @@ public function testAuthCheck() // case 2 - $_SESSION['last_valid_captcha'] = false; $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey'; $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey'; $_POST["g-recaptcha-response"] = ''; @@ -481,7 +480,8 @@ public function testAuthCheck() // case 6 - $_SESSION['last_valid_captcha'] = true; + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; $_REQUEST['old_usr'] = ''; $_REQUEST['pma_username'] = 'testPMAUser'; $_REQUEST['pma_servername'] = 'testPMAServer'; @@ -611,7 +611,8 @@ public function testAuthCheckDecryptUser() $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09'); $GLOBALS['cfg']['blowfish_secret'] = 'secret'; $_SESSION['last_access_time'] = ''; - $_SESSION['last_valid_captcha'] = true; + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; // mock for blowfish function $this->object = $this->getMockBuilder('AuthenticationCookie') @@ -649,7 +650,8 @@ public function testAuthCheckDecryptPassword() $_COOKIE['pmaPass-1'] = 'pmaPass1'; $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09'); $GLOBALS['cfg']['blowfish_secret'] = 'secret'; - $_SESSION['last_valid_captcha'] = true; + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; $_SESSION['last_access_time'] = time() - 1000; $GLOBALS['cfg']['LoginCookieValidity'] = 1440; @@ -694,7 +696,8 @@ public function testAuthCheckAuthFails() $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09'); $GLOBALS['cfg']['blowfish_secret'] = 'secret'; $_SESSION['last_access_time'] = 1; - $_SESSION['last_valid_captcha'] = true; + $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = ''; + $GLOBALS['cfg']['CaptchaLoginPublicKey'] = ''; $GLOBALS['cfg']['LoginCookieValidity'] = 0; $_SESSION['last_access_time'] = -1; // mock for blowfish function
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- www.phpmyadmin.net/security/PMASA-2015-4/nvdPatchVendor Advisory
- github.com/advisories/GHSA-v6fh-vg22-r6cmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-6830ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2015-September/166294.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-September/166307.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-September/166531.htmlnvdWEB
- www.debian.org/security/2015/dsa-3382nvdWEB
- github.com/phpmyadmin/phpmyadmin/commit/0314e67900f01410bc8c81c58a40dc0515e3c91dghsaWEB
- github.com/phpmyadmin/phpmyadmin/commit/785f4e2711848eb8945894199d5870253a88584envdWEB
- web.archive.org/web/20200228052837/http://www.securityfocus.com/bid/76674ghsaWEB
- web.archive.org/web/20211215060142/http://www.securitytracker.com/id/1033546ghsaWEB
- www.phpmyadmin.net/security/PMASA-2015-4ghsaWEB
- www.securityfocus.com/bid/76674nvd
- www.securitytracker.com/id/1033546nvd
News mentions
0No linked articles in our index yet.