Re: phppgadmin / CVE-2019-10784

To: Brian May <bam@debian.org>, Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: phppgadmin / CVE-2019-10784
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Fri, 13 Mar 2020 10:50:45 +0100
Message-id: <[🔎] 0a927029-7ced-3f32-d1d1-c0652e3a60b6@debian.org>
In-reply-to: <[🔎] 87lfo5waln.fsf@silverfish.pri>
References: <CABY6=0=y_=tF9QUydiCvL5MU0y+8Y77nToZrcTgr_mDaTBD4HQ@mail.gmail.com> <[🔎] 87lfo5waln.fsf@silverfish.pri>

On 12/03/2020 22:02, Brian May wrote:
> Ola Lundqvist <ola@inguza.com> writes:
> 
>> I have ideas on how we can reduce the attack possibilities but I cannot
>> find any perfect solution to this.
> 
> What about setting samesite=Lax in the session Cookie?

Wouldn't you need Strict rather than Lax? Otherwise if basite.com sends a POST
request to your phppgadmin instance, the cookie will be sent and you won't have
fixed anything.

Cheers,
Emilio

Reply to:

Follow-Ups:
- Re: phppgadmin / CVE-2019-10784
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Re: phppgadmin / CVE-2019-10784
  - From: Brian May <bam@debian.org>

Prev by Date: Re: amd64-microcode, test
Next by Date: Re: amd64-microcode, test
Previous by thread: Re: phppgadmin / CVE-2019-10784
Next by thread: Re: phppgadmin / CVE-2019-10784
Index(es):
- Date
- Thread