PhpMyAdmin Fixes File Inclusion and Cross Site Scripting Vulnerabilities

PhpMyAdmin announces the release of its new version 4.8.4 that contains several important security vulnerability fixes. Update the new version for your website now.

phpMyAdmin is a free and open source administration tool for MySQL and MariaDB. As a portable web application written primarily in PHP, it has become one of the most popular MySQL administration tools, especially for web hosting services.

Following vulnerabilities were found.

1. XSRF/CSRF vulnerability found in phpMyAdmin

Impact of vulnerability

By deceiving a user to click on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.

Version Affected

PhpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 were affected.

2. XSS Vulnerability found in PhpMyAdmin

A Cross-Site Scripting vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a specially-crafted database/table name.

Impact

The stored XSS vulnerabilities can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required forms.

Version Affect

phpMyAdmin versions from at least 4.0 through 4.8.3 were affected

3. Local file inclusion found in PhpMyAdmin

A flaw has been found where an attacker can exploit phpMyAdmin to leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.

Impact Version

phpMyAdmin versions from at least 4.0 through 4.8.3 are affected

PhpMyAdmin security fixes involve-

In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle-

  • Issue with changing theme
  • Ensure that database names with a dot (‘.’) are handled properly when DisableIS is true
  • Fix for message “Error while copying database (pma__column_info)”
  • Move operation causes “SELECT * FROM `undefined`” error
  • When logging with $cfg[‘AuthLog’] to syslog, successful login messages were not logged when $cfg[‘AuthLogSuccess’] was true
  • Multiple errors and regressions with Designer

Upgrade to phpMyAdmin 4.8.4 version now

Join Our Club

Enter your Email address to receive notifications | Join over Million Followers

Leave a Reply
Previous Article
Wipe An iPhone

How To Wipe An iPhone?

Next Article
Facebook Hacked

Facebook API Bug Allow To See Hidden Photos

Related Posts
Total
0
Share