PhpMyAdmin Fixes File Inclusion and Cross Site Scripting Vulnerabilities

PhpMyAdmin announces the release of its new version 4.8.4 that contains several important security vulnerability fixes. Update the new version for your website now.

phpMyAdmin is a free and open source administration tool for MySQL and MariaDB. As a portable web application written primarily in PHP, it has become one of the most popular MySQL administration tools, especially for web hosting services.

Following vulnerabilities were found.

1. XSRF/CSRF vulnerability found in phpMyAdmin

Impact of vulnerability

By deceiving a user to click on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc.

Version Affected

PhpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 were affected.

2. XSS Vulnerability found in PhpMyAdmin

A Cross-Site Scripting vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a specially-crafted database/table name.

Impact

The stored XSS vulnerabilities can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required forms.

Version Affect

phpMyAdmin versions from at least 4.0 through 4.8.3 were affected

3. Local file inclusion found in PhpMyAdmin

A flaw has been found where an attacker can exploit phpMyAdmin to leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.

Impact Version

phpMyAdmin versions from at least 4.0 through 4.8.3 are affected

PhpMyAdmin security fixes involve-

In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle-

  • Issue with changing theme
  • Ensure that database names with a dot (‘.’) are handled properly when DisableIS is true
  • Fix for message “Error while copying database (pma__column_info)”
  • Move operation causes “SELECT * FROM `undefined`” error
  • When logging with $cfg[‘AuthLog’] to syslog, successful login messages were not logged when $cfg[‘AuthLogSuccess’] was true
  • Multiple errors and regressions with Designer

Upgrade to phpMyAdmin 4.8.4 version now

For the latest update about Cyber and Infosec World, follow us on Twitter, Facebook, Telegram , Instagram and subscribe to our YouTube Channel.

Subscribe to HackersOnlineClub via Email

Enter your Email address to receive notifications of Latest Posts by Email | Join over Million Followers

More from Priyanshu Sahay

Facebook Stored Passwords in Plain-Text Mistakenly

Oops! Facebook down again in security. The social network website Facebook have...
Read More

Leave a Reply