Skip to content
Permalink
Browse files

Fix phpmyadmin-security#254 CSRF allowing password reset

Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
  • Loading branch information...
madhuracj authored and mauriciofauth committed Jul 22, 2018
1 parent 6c03eba commit 7d3f203131231d09a7485c38355f5cb546cbf897
Showing with 3 additions and 3 deletions.
  1. +3 −3 user_password.php
@@ -43,11 +43,11 @@
* If the "change password" form has been submitted, checks for valid values
* and submit the query or logout
*/
if (isset($_REQUEST['nopass'])) {
if ($_REQUEST['nopass'] == '1') {
if (isset($_POST['nopass'])) {
if ($_POST['nopass'] == '1') {
$password = '';
} else {
$password = $_REQUEST['pma_pw'];
$password = $_POST['pma_pw'];
}
$change_password_message = $userPassword->setChangePasswordMsg();
$msg = $change_password_message['msg'];

0 comments on commit 7d3f203

Please sign in to comment.
You can’t perform that action at this time.