Security fix: phpMyAdmin 4.8.5 is released

Posted by: Admin  :  Category: Phpmyadmin

Linux Cpanel shared hosting: 600 GB disk space, 6 TB bandwidth, free domain, unlimited databases and ftp accounts, web hosting cheap and pro at Hostony

The phpMyAdmin team announces the release of phpMyAdmin version 4.8.5. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.

The security fixes involve:

  • Arbitrary file read vulnerability (https://www.phpmyadmin.net/security/PMASA-2019-1)
  • SQL injection in the Designer interface (https://www.phpmyadmin.net/security/PMASA-2019-2)

The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $ cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496).

Linux Cpanel shared hosting: 600 GB disk space, 6 TB bandwidth, free domain, unlimited databases and ftp accounts, web hosting cheap and pro at Hostony

In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:

  • Export to SQL format not available
  • QR code not shown when adding two-factor authentication to a user account
  • Issue with adding a new user in MySQL 8.0.11 and newer
  • Frozen interface relating to Text_Plain_Sql plugin
  • Table level Operations tab was missing

And several more. Complete notes are in the ChangeLog file included with this release.

As always, downloads are available at https://www.phpmyadmin.net/downloads/

phpMyAdmin news

Linux Cpanel shared hosting: 600 GB disk space, 6 TB bandwidth, free domain, unlimited databases and ftp accounts, web hosting cheap and pro at Hostony

Upcoming security release pre-announcement

Posted by: Admin  :  Category: Phpmyadmin

The phpMyAdmin project is announcing an upcoming security release. We feel this vulnerability is significant enough to make this announcement in advance. Our intention is to release the download for version 4.8.4 on Tuesday (December 11) at approximately 1400-1500 UTC.

Details about the vulnerabilities will be provided at the time of release. Users, package managers, and others with questions or concerns can reach the security team in private at security@phpmyadmin.net.

phpMyAdmin news

Security fix: phpMyAdmin 4.8.4 is released

Posted by: Admin  :  Category: Phpmyadmin

The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.4. Among other bug fixes, this contains several important security fixes.

The security fixes involve:

  • Local file inclusion (https://www.phpmyadmin.net/security/PMASA-2018-6/),
  • XSRF/CSRF vulnerabilities allowing a specially-crafted URL to perform harmful operations (https://www.phpmyadmin.net/security/PMASA-2018-7/), and
  • an XSS vulnerability in the navigation tree (https://www.phpmyadmin.net/security/PMASA-2018-8/)

In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:

  • Issue with changing theme
  • Ensure that database names with a dot (‘.’) are handled properly when DisableIS is true
  • Fix for message “Error while copying database (pma__column_info)”
  • Move operation causes “SELECT * FROM `undefined`” error
  • When logging with $ cfg[‘AuthLog’] to syslog, successful login messages were not logged when $ cfg[‘AuthLogSuccess’] was true
  • Multiple errors and regressions with Designer

And several more. Complete notes are in the ChangeLog file included with this release.

Note that for this release, we experimented with a pre-release announcement so that hosting providers and package managers would have an opportunity to prepare for the security release. If this was helpful to you or if you have feedback about this technique, please let us know through the public list developers@phpmyadmin.net or privately at security@phpmyadmin.net. We may or may not decide use this behavior in the future and your feedback will help us decide whether it’s beneficial to the community.

As always, downloads are available at https://www.phpmyadmin.net/downloads/

phpMyAdmin news

Security fix: phpMyAdmin 4.8.3 is released

Posted by: Admin  :  Category: Phpmyadmin

The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains a security fix for an issue that can be exploited when importing files.

A flaw was discovered with how warning messages are displayed while importing a file. This attack requires a specially-crafted file but can allow an attacker to trick the user in to executing a cross-site scripting (XSS) attack. We recommend updating immediately to mitigate this attack.

In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:

  • An error where a database is named 0
  • Fix for NULL as default not being shown
  • Fix for recent tables list
  • Fix for slow performance with table filtering
  • Two-factor authentication (2FA) fails if the GD PHP library is missing
  • Event scheduler toggle does not work
  • ERR_BLOCKED_BY_XSS_AUDITOR error when exporting a table
  • PHP 7.3 warning: “continue” in “switch” is equal to “break”

And several more. Complete notes are in the ChangeLog file included with this release.

As always, downloads are available at https://www.phpmyadmin.net/downloads/

phpMyAdmin news

Security fix: phpMyAdmin 4.8.2 is released

Posted by: Admin  :  Category: Phpmyadmin

The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains an important security update and it is highly recommended that all users upgrade immediately.

The urgent vulnerability allows an authenticated attacker to exploit a phpMyAdmin feature to show and potentially execute files on the server. PHP open_basedir restrictions mitigate the effect of this flaw. For further details, see the PMASA announcement.

A second flaw was also fixed allowing an attacker to use a specially crafted database name to trick a user in to executing a cross-site scripting (XSS) attack in the Designer feature.

In addition to the security fixes, this release also includes these bug fixes as part of our regular release cycle:

  • WHERE 0 clause causes a fatal error
  • Fix missing “INDEX” icon

Known issues:

  • Unable to log in with MySQL 8.0.11 (bug #14220, see also https://bugs.php.net/bug.php?id=76243)
  • A few users have reported being unable to log in with a persistent error message “Failed to set session cookie. Maybe you are using HTTP instead of HTTPS”. In some cases, clearing the phpMyAdmin cookies (‘pma*’) resolves the issue.

Downloads are available at https://www.phpmyadmin.net/downloads/

phpMyAdmin news

phpMyAdmin 4.8.1 is released

Posted by: Admin  :  Category: Phpmyadmin

Welcome to phpMyAdmin 4.8.1, a bug fix release.

A complete list of changes and bugs fixed is available from the ChangeLog file or changelog.php included with this release.

A few highlights of bugs fixed include:

  • Fix to the scrollbar functionality and Browse table CSS overflow
  • Dropping indexes and keys fails
  • Show two factor (2FA) secret code next to QR image
  • Configuration for DefaultLang and Lang
  • MariaDB 10.2 ‘current_timestamp()’
  • Remember table sorting is broken

Known issues:

  • Unable to log in with MySQL 8.0.11 (bug #14220, see also https://bugs.php.net/bug.php?id=76243)
  • A few users have reported being unable to log in with a persistent error message “Failed to set session cookie. Maybe you are using HTTP instead of HTTPS”. In some cases, clearing the phpMyAdmin cookies (‘pma*’) resolves the issue.

As always, downloads are available from https://www.phpmyadmin.net

The phpMyAdmin team

phpMyAdmin news