The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.4. Among other bug fixes, this contains several important security fixes.
The security fixes involve:
- Local file inclusion (https://www.phpmyadmin.net/security/PMASA-2018-6/),
- XSRF/CSRF vulnerabilities allowing a specially-crafted URL to perform harmful operations (https://www.phpmyadmin.net/security/PMASA-2018-7/), and
- an XSS vulnerability in the navigation tree (https://www.phpmyadmin.net/security/PMASA-2018-8/)
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
- Issue with changing theme
- Ensure that database names with a dot (‘.’) are handled properly when DisableIS is true
- Fix for message “Error while copying database (pma__column_info)”
- Move operation causes “SELECT * FROM `undefined`” error
- When logging with $ cfg[‘AuthLog’] to syslog, successful login messages were not logged when $ cfg[‘AuthLogSuccess’] was true
- Multiple errors and regressions with Designer
And several more. Complete notes are in the ChangeLog file included with this release.
Note that for this release, we experimented with a pre-release announcement so that hosting providers and package managers would have an opportunity to prepare for the security release. If this was helpful to you or if you have feedback about this technique, please let us know through the public list firstname.lastname@example.org or privately at email@example.com. We may or may not decide use this behavior in the future and your feedback will help us decide whether it’s beneficial to the community.
As always, downloads are available at https://www.phpmyadmin.net/downloads/