PhpMyAdmin security fix v4.8.5 will patch an SQL Injection and arbitrary file read vulnerability.
Security is a daily ongoing endeavor and discipline in today’s online world. In a security blog post the developers of phpMyAdmin announced version 4.8.5 of its software to address a few security related issues.
The security fixes involve:
- Arbitrary file read vulnerability (https://www.phpmyadmin.net/security/PMASA-2019-1)
- SQL injection in the Designer interface (https://www.phpmyadmin.net/security/PMASA-2019-2)
The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496).
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
- Export to SQL format not available
- QR code not shown when adding two-factor authentication to a user account
- Issue with adding a new user in MySQL 8.0.11 and newer
- Frozen interface relating to Text_Plain_Sql plugin
- Table level Operations tab was missing
And several more. Complete notes are in the ChangeLog file included with this release.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
Update if you got it and as always, great work my the devs !