Hosting-new.com

Welcome to phpMyAdmin 4.9.2, a bugfix release that also contains a security fix.

This security fix is part of an ongoing effort to improve the security of the Designer feature and is designated PMASA-2019-5.
There is also an improvement for how we sanitize Git version information shown on the home page, thanks to Ali Hubail.

This release includes fixes for many bugs, including:

• Fixes for the “Failed to set session cookie” error which relates to the cookie name. In some cases, data stored in the cookie (such as the previously-used user account) may not be loaded from a previous phpMyAdmin cookie the first time you run version 4.9.2
• Fix for Advisor with MySQL 8.0.3 and newer
• Fix PHP deprecation errors
• Fix a situation where exporting users after a delete query could remove users
• Fix incorrect “You do not have privileges to manipulate with the users!” warning
• Fix copying a database’s privileges and several other problems moving columns with MariaDB
• Fix for phpMyAdmin not selecting all the values when using shift-click to select during Export

There are many, many more bug fixes thanks to the efforts of our developers and other contributors.

The phpMyAdmin team

phpMyAdmin news

Welcome to the first release candidate of phpMyAdmin 5.0.0. This release features a great number of new features and bug fixes.

This is expected to be the final release candidate before 5.0.0 is finalized. Please visit https://github.com/phpmyadmin/phpmyadmin/milestones to stay updated on the expected release date and known bugs.

Since 5.0.0-alpha1, there have been several bugfixes, none of which are particularly notable. For a complete comparison, you could visit https://github.com/phpmyadmin/phpmyadmin/compare/RELEASE_5_0_0ALPHA1..RELEASE_5_0_0RC1.

The following are the release notes from 5.0.0-alpha1:

With this release, we are removing support of old PHP versions (5.5, 5.6, 7.0, and HHVM). These versions are outdated and are no longer supported by the PHP team. Detailed requirement information is available in the documentation included with the download or at https://docs.phpmyadmin.net/en/latest/require.html. As shown at https://www.phpmyadmin.net/downloads/#support our current branch of 4.9.x is planned to remain supported for some time in an LTS capacity.

Some of the changes and new features include:

• Enable columns names by default for CSV exports
• Add Metro theme
• Automatically add the index when creating an auto increment column
• Improvements to exporting views
• Prompt the user for confirmation before running an UPDATE query with no WHERE clause
• Improvements to how errors are show to the user (including allowing easier copying of the error text to the clipboard)
• Added keystrokes to clear the line (ctrl+l) and clear the entire console window (ctrl+u)
• Use charset ‘windows-1252’ when export format is MS Excel

There are several more changes, please refer to the ChangeLog file included with the release for full details.

Known shortcomings:

Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220.

Downloads are available now at https://phpmyadmin.net/downloads/

Our work would not be possible without the donations of our generous sponsor, and this release in particular is brought to you thanks to the hard work of our Google Summer of Code students and many other contributors.

For the team,
Isaac

phpMyAdmin news

Welcome to phpMyAdmin 4.9.1, a bugfix release.

This is a regularly-schedule bugfix release that also includes some security hardening measures.

We wish to point out that this also includes a routine fix for an issue that has been reported as CVE-2019-12922. The fix for this has been in our release queue to be part of this release, however it is the opinion of the team that the reported attack vector did not justify a separate release.

This release includes fixes for many bugs, including:

• Editing columns with CURRENT_TIMESTAMP for MySQL versions 8.0.13 and newer
• Compatibility issues with PHP 8
• Export of GIS visualization
• Enhanced descriptions for several collation types
• Creating a user with a single quote in the password string
• Unexpected quotes during import and export on text fields
• Improvements to adding new tables to Designer
• Fix an issue where an authenticated user could trigger heavy traffic between the database server and web server
• Fix a weakness where an attacker, under certain conditions, working at the same time as an administrator is using the setup script, could delete a server from the setup script

There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.

The phpMyAdmin team

phpMyAdmin news

Welcome to phpMyAdmin 4.9.0.1, a bugfix release that includes important security fixes.

This release fixes two security vulnerabilities:

• PMASA-2019-3 is an SQL injection flaw in the Designer feature
• PMASA-2019-4 is a CSRF attack that’s possible through the ‘cookie’ login form

Version 4.9.0 mistakenly did not include a commit and 4.9.0.1 was quickly released to include that missing fix.

Upgrading is highly recommended for all users. Using the ‘http’ auth_type instead of ‘cookie’ can mitigate the CSRF attack.

The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.

As a result of the removal of this feature, we have decided the change in behavior justifies a version increase from 4.8.x to 4.9. We strive to adhere to Semantic Versioning principles, which prohibit removing features in patch releases. Previously version 4.8.x was intended as the LTS version supporting PHP 5.5; because of this change the LTS branch will now become version 4.9.x.

This release also includes fixes for many bugs, including:

• Several issues with SYSTEM VERSIONING tables
• Fixed json encode error in export
• Fixed JavaScript events not activating on input (sql bookmark issue)
• Show Designer combo boxes when adding a constraint
• Fix edit view
• Fixed invalid default value for bit field
• Fix several errors relating to GIS data types
• Fixed javascript error PMA_messages is not defined
• Fixed import XML data with leading zeros
• Fixed php notice, added support for ‘DELETE HISTORY’ table privilege (MariaDB >= 10.3.4)
• Fixed MySQL 8.0.0 issues with GIS display
• Fixed “Server charset” in “Database server” tab showing wrong information
• Fixed can not copy user on Percona Server 5.7
• Updated sql-parser to version 4.3.2, which fixes several parsing and linting problems

There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.

The phpMyAdmin team

edit 2019-06-05 – Added information about why this is 4.9.0 rather than 4.8.x.

phpMyAdmin news

The phpMyAdmin team announces the release of phpMyAdmin version 4.8.5. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.

The security fixes involve:

• Arbitrary file read vulnerability (https://www.phpmyadmin.net/security/PMASA-2019-1)
• SQL injection in the Designer interface (https://www.phpmyadmin.net/security/PMASA-2019-2)

The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $ cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496).

In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:

• Export to SQL format not available
• QR code not shown when adding two-factor authentication to a user account
• Issue with adding a new user in MySQL 8.0.11 and newer
• Frozen interface relating to Text_Plain_Sql plugin
• Table level Operations tab was missing

And several more. Complete notes are in the ChangeLog file included with this release.

As always, downloads are available at https://www.phpmyadmin.net/downloads/

phpMyAdmin news

The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.4. Among other bug fixes, this contains several important security fixes.

The security fixes involve:

• Local file inclusion (https://www.phpmyadmin.net/security/PMASA-2018-6/),
• XSRF/CSRF vulnerabilities allowing a specially-crafted URL to perform harmful operations (https://www.phpmyadmin.net/security/PMASA-2018-7/), and
• an XSS vulnerability in the navigation tree (https://www.phpmyadmin.net/security/PMASA-2018-8/)

In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:

• Issue with changing theme
• Ensure that database names with a dot (‘.’) are handled properly when DisableIS is true
• Fix for message “Error while copying database (pma__column_info)”
• Move operation causes “SELECT * FROM `undefined`” error
• When logging with $ cfg[‘AuthLog’] to syslog, successful login messages were not logged when $ cfg[‘AuthLogSuccess’] was true
• Multiple errors and regressions with Designer

And several more. Complete notes are in the ChangeLog file included with this release.

Note that for this release, we experimented with a pre-release announcement so that hosting providers and package managers would have an opportunity to prepare for the security release. If this was helpful to you or if you have feedback about this technique, please let us know through the public list developers@phpmyadmin.net or privately at security@phpmyadmin.net. We may or may not decide use this behavior in the future and your feedback will help us decide whether it’s beneficial to the community.

As always, downloads are available at https://www.phpmyadmin.net/downloads/

phpMyAdmin news