Several flaws were discovered in the CSRF authentication code of
phpMyAdmin.
- CVE-2016-2039
The XSRF/CSRF token is generated with a weak algorithm using
functions that do not return cryptographically secure values.
- CVE-2016-2041
The comparison of the XSRF/CSRF token parameter with the value saved
in the session is vulnerable to timing attacks. Moreover, the
comparison could be bypassed if the XSRF/CSRF token matches a
particular pattern.