SQL injection attack

PMASA-2016-19

Announcement-ID: PMASA-2016-19

Date: 2016-06-23

Summary

SQL injection attack

Description

A vulnerability was discovered that allows an SQL injection attack to run arbitrary commands as the control user.

Severity

We consider this vulnerability to be serious

Mitigation factor

This attack requires a controluser to exist and be configured in config.inc.php, therefore the attack can be mitigated by temporarily disabling the controluser.

Affected Versions

Versions 4.6.x (prior to 4.6.3) and 4.4.x (prior to 4.4.15.7) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7 or newer or apply patch listed below.

References

Thanks to Brian “geeknik” Carpenter for reporting this vulnerability.

Assigned CVE ids: CVE-2016-5703

CWE ids: CWE-661

Patches

The following commits have been made on the 4.6 branch to fix this issue:

• ef6c66dca1b0cb0a1a482477938cfc859d2baee3

The following commits have been made on the 4.4 branch to fix this issue:

• 8a0705008b9b79c9579d1b23ce3fb323b33ea32f

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.