VYPR
← All advisories
Low severity3.7NVD Advisory· Published Jul 3, 2016· Updated May 6, 2026

CVE-2016-5702

CVE-2016-5702

Description

phpMyAdmin 4.6.x before 4.6.3, when the environment lacks a PHP_SELF value, allows remote attackers to conduct cookie-attribute injection attacks via a crafted URI.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

phpMyAdmin 4.6.x before 4.6.3 allows cookie-attribute injection via crafted URI when PHP_SELF is missing.

Vulnerability

CVE-2016-5702 is a cookie-attribute injection vulnerability in phpMyAdmin 4.6.x versions prior to 4.6.3 [1][3][4]. The issue occurs when the server environment does not provide a PHP_SELF value [1]. In such cases, the application uses REQUEST_URI to determine the cookie path, but insufficient input validation allows a remote attacker to inject arbitrary values into browser cookies by crafting a malicious URI [1][3][4]. The vulnerability is classified as non-critical by the phpMyAdmin team and affects all 4.6.x versions before 4.6.3 [3][4].

Exploitation

An attacker can exploit this vulnerability by sending a crafted URI to a phpMyAdmin installation running on a server where PHP_SELF is not set [1][3]. No authentication is required, and the attack can be performed remotely. The crafted URI manipulates the cookie path attribute, enabling the injection of arbitrary cookie values into the victim's browser [1][3][4]. The fix (commit 27caf5b46bd0890e576fea7bd7b166a0639fdf68) improves detection of the script name and ensures proper sanitization when PHP_SELF is empty [2].

Impact

Successful exploitation allows an attacker to perform cookie-attribute injection, which may lead to manipulation of browser cookies [3][4]. This could potentially be leveraged for session fixation or other attacks depending on the application context. The impact is limited to cookie attribute injection; the vulnerability does not directly lead to code execution or information disclosure [3][4].

Mitigation

The vulnerability is fixed in phpMyAdmin version 4.6.3, released on 2016-06-23 [3][4]. Users should upgrade to this version or later. The official patch is available in commit 27caf5b46bd0890e576fea7bd7b166a0639fdf68 [2][3][4]. A mitigation factor is that properly configured servers which set PHP_SELF are not affected [3][4].

References
  1. NVD - CVE-2016-5702
  2. Improve detection of script name · phpmyadmin/phpmyadmin@27caf5b
  3. PMASA-2016-18
  4. PMASA-2016-18

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phpmyadmin/phpmyadminPackagist
>= 4.6.0, < 4.6.34.6.3

Affected products

3

Patches

1
27caf5b46bd0

Improve detection of script name

https://github.com/phpmyadmin/phpmyadminMichal ČihařJun 16, 2016via ghsa
commit
3 files changed · +94 9
  • libraries/Config.php+1 5 modified
    @@ -1393,11 +1393,7 @@ public function getCookiePath()
             return $cookie_path;
         }
 
-        if (isset($GLOBALS['PMA_PHP_SELF'])) {
-            $parsed_url = parse_url($GLOBALS['PMA_PHP_SELF']);
-        } else {
-            $parsed_url = parse_url(PMA_getenv('REQUEST_URI'));
-        }
+        $parsed_url = parse_url($GLOBALS['PMA_PHP_SELF']);
 
         $parts = explode(
             '/',
  • libraries/core.lib.php+9 4 modified
    @@ -940,15 +940,20 @@ function PMA_setGlobalDbOrTable($param)
  */
 function PMA_cleanupPathInfo()
 {
-    global $PMA_PHP_SELF, $_PATH_INFO;
+    global $PMA_PHP_SELF;
 
     $PMA_PHP_SELF = PMA_getenv('PHP_SELF');
+    if (empty($PMA_PHP_SELF)) {
+        $PMA_PHP_SELF = urldecode(PMA_getenv('REQUEST_URI'));
+    }
     $_PATH_INFO = PMA_getenv('PATH_INFO');
     if (! empty($_PATH_INFO) && ! empty($PMA_PHP_SELF)) {
         $path_info_pos = mb_strrpos($PMA_PHP_SELF, $_PATH_INFO);
-        $pathLength = $path_info_pos + mb_strlen($_PATH_INFO);
-        if ($pathLength === mb_strlen($PMA_PHP_SELF)) {
-            $PMA_PHP_SELF = mb_substr($PMA_PHP_SELF, 0, $path_info_pos);
+        if ($path_info_pos !== false) {
+            $path_info_part = mb_substr($PMA_PHP_SELF, $path_info_pos, mb_strlen($_PATH_INFO));
+            if ($path_info_part == $_PATH_INFO) {
+                $PMA_PHP_SELF = mb_substr($PMA_PHP_SELF, 0, $path_info_pos);
+            }
         }
     }
     $PMA_PHP_SELF = htmlspecialchars($PMA_PHP_SELF);
  • test/libraries/core/PMA_cleanupPathInfo_test.php+84 0 added
    @@ -0,0 +1,84 @@
+<?php
+/* vim: set expandtab sw=4 ts=4 sts=4: */
+/**
+ *
+ * PMA_fatalError() displays the given error message on phpMyAdmin error page in
+ * foreign language
+ * and ends script execution and closes session
+ *
+ * @package PhpMyAdmin-test
+ */
+
+
+
+
+/**
+ *
+ * PMA_fatalError() displays the given error message on phpMyAdmin error page in
+ * foreign language
+ * and ends script execution and closes session
+ *
+ * @package PhpMyAdmin-test
+ */
+class PMA_CleanupPathInfo_Test extends PHPUnit_Framework_TestCase
+{
+    /**
+     * Test for PMA_cleanupPathInfo
+     *
+     * @param string $php_self  The PHP_SELF value
+     * @param string $request   The REQUEST_URI value
+     * @param string $path_info The PATH_INFO value
+     * @param string $expected  Expected result
+     *
+     * @return void
+     *
+     * @dataProvider pathsProvider
+     */
+    public function testPahtInfo($php_self, $request, $path_info, $expected)
+    {
+        $_SERVER['PHP_SELF'] = $php_self;
+        $_SERVER['REQUEST_URI'] = $request;
+        $_SERVER['PATH_INFO'] = $path_info;
+        PMA_cleanupPathInfo();
+        $this->assertEquals(
+            $expected,
+            $GLOBALS['PMA_PHP_SELF']
+        );
+    }
+
+    /**
+     * Data provider for PMA_cleanupPathInfo tests
+     *
+     * @return array
+     */
+    public function pathsProvider()
+    {
+        return array(
+            array(
+                '/phpmyadmin/index.php/; cookieinj=value/',
+                '/phpmyadmin/index.php/;%20cookieinj=value///',
+                '/; cookieinj=value/',
+                '/phpmyadmin/index.php'
+            ),
+            array(
+                '',
+                '/phpmyadmin/index.php/;%20cookieinj=value///',
+                '/; cookieinj=value/',
+                '/phpmyadmin/index.php'
+            ),
+            array(
+                '/phpmyadmin/index.php',
+                '/phpmyadmin/index.php',
+                '',
+                '/phpmyadmin/index.php'
+            ),
+            array(
+                '',
+                '/phpmyadmin/index.php',
+                '',
+                '/phpmyadmin/index.php'
+            ),
+        );
+    }
+}
+

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.