Hosting-new.com

Welcome to phpMyAdmin 4.9.0.1, a bugfix release that includes important security fixes.

This release fixes two security vulnerabilities:

• PMASA-2019-3 is an SQL injection flaw in the Designer feature
• PMASA-2019-4 is a CSRF attack that’s possible through the ‘cookie’ login form

Version 4.9.0 mistakenly did not include a commit and 4.9.0.1 was quickly released to include that missing fix.

Upgrading is highly recommended for all users. Using the ‘http’ auth_type instead of ‘cookie’ can mitigate the CSRF attack.

The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.

As a result of the removal of this feature, we have decided the change in behavior justifies a version increase from 4.8.x to 4.9. We strive to adhere to Semantic Versioning principles, which prohibit removing features in patch releases. Previously version 4.8.x was intended as the LTS version supporting PHP 5.5; because of this change the LTS branch will now become version 4.9.x.

This release also includes fixes for many bugs, including:

• Several issues with SYSTEM VERSIONING tables
• Fixed json encode error in export
• Fixed JavaScript events not activating on input (sql bookmark issue)
• Show Designer combo boxes when adding a constraint
• Fix edit view
• Fixed invalid default value for bit field
• Fix several errors relating to GIS data types
• Fixed javascript error PMA_messages is not defined
• Fixed import XML data with leading zeros
• Fixed php notice, added support for ‘DELETE HISTORY’ table privilege (MariaDB >= 10.3.4)
• Fixed MySQL 8.0.0 issues with GIS display
• Fixed “Server charset” in “Database server” tab showing wrong information
• Fixed can not copy user on Percona Server 5.7
• Updated sql-parser to version 4.3.2, which fixes several parsing and linting problems

There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.

The phpMyAdmin team

edit 2019-06-05 – Added information about why this is 4.9.0 rather than 4.8.x.

phpMyAdmin news

The phpMyAdmin project is excited to announce our student projects for the 2019 Google Summer of Code. We’ve had many great applicants and it is unfortunate that we were only able to accept these three.

• Apoorv Khare will be working on a series of general improvements, fixing bugs and adding improvements to the interface,
• Mohit Kuri’s projoct is to to refactor and improve the Designer interface, and
• Nupur Agrawal has been selected to convert the user interface to Bootstrap 4. These changes will make it easier for developers to maintain a consistent style and appearance throughout the application.

This year, the mentors from phpMyAdmin were pleased with the amount of student support; many students joined the conversation on Gitter and other forums to help other students with their applications and offer their support of each other. This response was overwhelming and reflects wonderfully on the student applicants.

Students who were not selected are welcome to continue to contribute to the phpMyAdmin community and, for those who will be eligible next year, we hope you’ll apply again.

Summer of Code is a Google initiative where Google funds college students getting paid for real-world experience and mentorship through open source projects. For many students, this is the first exposure to an open source project. Several phpMyAdmin team members have started as GSoC students. This marks phpMyAdmin’s tenth year of participation in GSoC.

phpMyAdmin news

The phpMyAdmin team announces the release of phpMyAdmin version 4.8.5. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.

The security fixes involve:

• Arbitrary file read vulnerability (https://www.phpmyadmin.net/security/PMASA-2019-1)
• SQL injection in the Designer interface (https://www.phpmyadmin.net/security/PMASA-2019-2)

The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $ cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496).

In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:

• Export to SQL format not available
• QR code not shown when adding two-factor authentication to a user account
• Issue with adding a new user in MySQL 8.0.11 and newer
• Frozen interface relating to Text_Plain_Sql plugin
• Table level Operations tab was missing

And several more. Complete notes are in the ChangeLog file included with this release.

As always, downloads are available at https://www.phpmyadmin.net/downloads/

phpMyAdmin news

The phpMyAdmin project is announcing an upcoming security release. We feel this vulnerability is significant enough to make this announcement in advance. Our intention is to release the download for version 4.8.4 on Tuesday (December 11) at approximately 1400-1500 UTC.

Details about the vulnerabilities will be provided at the time of release. Users, package managers, and others with questions or concerns can reach the security team in private at security@phpmyadmin.net.

phpMyAdmin news

The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.4. Among other bug fixes, this contains several important security fixes.

The security fixes involve:

• Local file inclusion (https://www.phpmyadmin.net/security/PMASA-2018-6/),
• XSRF/CSRF vulnerabilities allowing a specially-crafted URL to perform harmful operations (https://www.phpmyadmin.net/security/PMASA-2018-7/), and
• an XSS vulnerability in the navigation tree (https://www.phpmyadmin.net/security/PMASA-2018-8/)

In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:

• Issue with changing theme
• Ensure that database names with a dot (‘.’) are handled properly when DisableIS is true
• Fix for message “Error while copying database (pma__column_info)”
• Move operation causes “SELECT * FROM `undefined`” error
• When logging with $ cfg[‘AuthLog’] to syslog, successful login messages were not logged when $ cfg[‘AuthLogSuccess’] was true
• Multiple errors and regressions with Designer

And several more. Complete notes are in the ChangeLog file included with this release.

Note that for this release, we experimented with a pre-release announcement so that hosting providers and package managers would have an opportunity to prepare for the security release. If this was helpful to you or if you have feedback about this technique, please let us know through the public list developers@phpmyadmin.net or privately at security@phpmyadmin.net. We may or may not decide use this behavior in the future and your feedback will help us decide whether it’s beneficial to the community.

As always, downloads are available at https://www.phpmyadmin.net/downloads/

phpMyAdmin news

The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains a security fix for an issue that can be exploited when importing files.

A flaw was discovered with how warning messages are displayed while importing a file. This attack requires a specially-crafted file but can allow an attacker to trick the user in to executing a cross-site scripting (XSS) attack. We recommend updating immediately to mitigate this attack.

In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:

• An error where a database is named 0
• Fix for NULL as default not being shown
• Fix for recent tables list
• Fix for slow performance with table filtering
• Two-factor authentication (2FA) fails if the GD PHP library is missing
• Event scheduler toggle does not work
• ERR_BLOCKED_BY_XSS_AUDITOR error when exporting a table
• PHP 7.3 warning: “continue” in “switch” is equal to “break”

And several more. Complete notes are in the ChangeLog file included with this release.

As always, downloads are available at https://www.phpmyadmin.net/downloads/

phpMyAdmin news