HTTP Response Splitting and file inclusion vulnerability.

PMASA-2009-1 Announcement-ID: PMASA-2009-1 Date: 2009-03-24 Summary HTTP Response Splitting and file inclusion vulnerability. Description The BLOB streaming feature allowed attacker to include arbitrary files and inject HTTP headers using crafted URL parameters. Severity We consider this...

XSS vulnerability

PMASA-2006-6 Announcement-ID: PMASA-2006-6 Date: 2006-11-01 Summary XSS vulnerability Description We received a security advisory from Stefan Esser [email protected] and we wish to thank him for his work. It was possible to produce XSS via a special URL containing UTF-7 codes Severity We...

Username rule matching issues

PMASA-2016-61 Announcement-ID: PMASA-2016-61 Date: 2016-11-25 Updated: 2016-12-06 Summary Username rule matching issues Description A vulnerability in username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution tim...

Multiple XSS vulnerabilities

PMASA-2016-31 Announcement-ID: PMASA-2016-31 Date: 2016-07-11 Summary Multiple XSS vulnerabilities Description XSS vulnerabilities were discovered in: The database privilege check The "Remove partitioning" functionality Specially crafted database names can trigger the XSS attack. Severity We...

Full path disclosure vulnerability in SQL parser.

PMASA-2016-8 Announcement-ID: PMASA-2016-8 Date: 2016-01-24 Summary Full path disclosure vulnerability in SQL parser. Description By calling a particular script that is part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the...

glibc/iconv Vulnerability (CVE-2024-2961)

PMASA-2025-3 Announcement-ID: PMASA-2025-3 Date: 2025-01-21 Summary glibc/iconv Vulnerability CVE-2024-2961 Description There was a vulnerability found in glibc/iconv that could potentially affect phpMyAdmin under specific circumstances. By default, phpMyAdmin is not vulnerable, but since we use...

Open redirect

PMASA-2017-1 Announcement-ID: PMASA-2017-1 Date: 2017-01-24 Summary Open redirect Description It was possible to trick phpMyAdmin to redirect to insecure using special request path. Severity We consider this vulnerability to be non critical. Affected Versions All 4.6.x versions prior to 4.6.6,...

CSS injection in themes

PMASA-2017-4 Announcement-ID: PMASA-2017-4 Date: 2017-01-24 Summary CSS injection in themes Description It was possible to cause CSS injection in themes by crafted cookie parameters. Severity We consider this to be non critical. Affected Versions All 4.6.x versions prior to 4.6.6, 4.4.x versions...

Referrer leak in url.php

PMASA-2016-50 Announcement-ID: PMASA-2016-50 Date: 2016-07-24 Summary Referrer leak in url.php Description A vulnerability was discovered where an attacker can determine the phpMyAdmin host location through the file url.php. Severity We consider this to be of moderate severity. Affected Versions...

Unsafe handling of preg_replace parameters

PMASA-2016-27 Announcement-ID: PMASA-2016-27 Date: 2016-06-23 Summary Unsafe handling of pregreplace parameters Description In some versions of PHP, it's possible for an attacker to pass parameters to the pregreplace function which can allow the execution of arbitrary PHP code. This code is not...

XSS vulnerability in SQL editor.

PMASA-2016-9 Announcement-ID: PMASA-2016-9 Date: 2016-01-24 Summary XSS vulnerability in SQL editor. Description With a crafted SQL query, it is possible to trigger an XSS attack in the SQL editor. Severity We consider this vulnerability to be non-critical. Mitigation factor This vulnerability ca...

Multiple full path disclosure vulnerabilities.

PMASA-2016-6 Announcement-ID: PMASA-2016-6 Date: 2016-01-24 Summary Multiple full path disclosure vulnerabilities. Description By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path...

Local file inclusion vulnerability.

PMASA-2013-4 Announcement-ID: PMASA-2013-4 Date: 2013-04-24 Summary Local file inclusion vulnerability. Description In the Export feature, a parameter specifying the export type was not correctly validated, opening the door to a local file inclusion attack. Severity We consider this vulnerability...

Path disclosure due to insufficient url parameter validation.

PMASA-2011-15 Announcement-ID: PMASA-2011-15 Date: 2011-10-17 Summary Path disclosure due to insufficient url parameter validation. Description When the jsframe parameter of phpmyadmin.css.php is defined as an array, an error message shows the full path of this file, leading to possible further...

Several XSS vulnerabilities were found in the code.

PMASA-2010-5 Announcement-ID: PMASA-2010-5 Date: 2010-08-20 Summary Several XSS vulnerabilities were found in the code. Description It was possible to conduct a XSS attack using crafted URLs or POST parameters on several pages. Severity We consider this vulnerability to be serious. Mitigation...

Local file inclusion through transformation feature

PMASA-2018-6 Announcement-ID: PMASA-2018-6 Date: 2018-12-07 Summary Local file inclusion through transformation feature Description A flaw has been found where an attacker can exploit phpMyAdmin to leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration...

Multiple SQL injection vulnerabilities

PMASA-2016-69 Announcement-ID: PMASA-2016-69 Date: 2016-11-25 Updated: 2016-12-06 Summary Multiple SQL injection vulnerabilities Description With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the...

IPv6 and proxy server IP-based authentication rule circumvention

PMASA-2016-47 Announcement-ID: PMASA-2016-47 Date: 2016-07-21 Summary IPv6 and proxy server IP-based authentication rule circumvention Description A vulnerability was discovered where, under certain circumstances, it may be possible to circumvent the phpMyAdmin IP-based authentication rules. When...

Denial of service (DOS) attack in transformation feature

PMASA-2016-41 Announcement-ID: PMASA-2016-41 Date: 2016-07-14 Summary Denial of service DOS attack in transformation feature Description A vulnerability was found in the transformation feature allowing a user to trigger a denial-of-service DOS attack against the server. Severity We consider this...

Path traversal with SaveDir and UploadDir

PMASA-2016-37 Announcement-ID: PMASA-2016-37 Date: 2016-07-12 Summary Path traversal with SaveDir and UploadDir Description A vulnerability was reported with the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a...

Leakage of line count of an arbitrary file.

PMASA-2014-16 Announcement-ID: PMASA-2014-16 Date: 2014-11-20 Summary Leakage of line count of an arbitrary file. Description In the error reporting feature, a parameter specifying the file was not correctly validated, allowing the attacker to derive the line count of an arbitrary file. Severity ...

XSS in view operations page.

PMASA-2014-9 Announcement-ID: PMASA-2014-9 Date: 2014-08-17 Summary XSS in view operations page. Description With a crafted view name it is possible to trigger an XSS when dropping the view in view operation page. Severity We consider this vulnerability to be non critical. Mitigation factor This...

Self-XSS due to unescaped HTML output in navigation items hiding feature.

PMASA-2014-3 Announcement-ID: PMASA-2014-3 Date: 2014-06-20 Summary Self-XSS due to unescaped HTML output in navigation items hiding feature. Description When hiding or unhiding a crafted table name in the navigation, it is possible to trigger an XSS. Severity We consider this vulnerability to be...

Local file inclusion.

PMASA-2011-10 Announcement-ID: PMASA-2011-10 Date: 2011-07-23 Summary Local file inclusion. Description Via a crafted MIME-type transformation parameter, an attacker can perform a local file inclusion. Severity We consider this vulnerability to be serious. Mitigation factor The phpMyAdmin's...

Code execution vulnerability

PMASA-2008-7 Announcement-ID: PMASA-2008-7 Date: 2008-09-15 Updated: 2008-09-17 Summary Code execution vulnerability Description We received an advisory from Norman Hippert and we wish to thank him for his work. The serverdatabases.php script was vulnerable to an attack coming from a user who is...

XSS vulnerability in navigation tree

PMASA-2018-8 Announcement-ID: PMASA-2018-8 Date: 2018-12-07 Summary XSS vulnerability in navigation tree Description A Cross-Site Scripting vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a specially-crafted database/table name. Severity W...

Path disclosure due to missing library.

PMASA-2012-3 Announcement-ID: PMASA-2012-3 Date: 2012-08-09 Summary Path disclosure due to missing library. Description The showconfigerrors.php script does not include a library, so an error message shows the full path of this file, leading to possible further attacks. Severity We consider this...

Local file inclusion.

PMASA-2011-17 Announcement-ID: PMASA-2011-17 Date: 2011-11-10 Summary Local file inclusion. Description Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file limited by the privileges of the user running the web server. Severity We consider...

Denial of service (DOS) attack with dbase extension

PMASA-2016-55 Announcement-ID: PMASA-2016-55 Date: 2016-07-25 Summary Denial of service DOS attack with dbase extension Description A flaw was discovered where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. Severity We consider this...

SQL injection attack

PMASA-2016-40 Announcement-ID: PMASA-2016-40 Date: 2016-07-14 Summary SQL injection attack Description A vulnerability was reported where a specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality. Severity We consider this...

Multiple XSS vulnerabilities

PMASA-2016-26 Announcement-ID: PMASA-2016-26 Date: 2016-06-23 Summary Multiple XSS vulnerabilities Description A vulnerability was reported allowing a specially crafted table name to cause an XSS attack through the functionality to check database privileges. This XSS doesn't exist in some...

Global variables overwrite in "export.php".

PMASA-2013-5 Announcement-ID: PMASA-2013-5 Date: 2013-04-24 Summary Global variables overwrite in "export.php". Description The export script generates global variables from those present in the $$POST superglobal. This may lead to other exploits in the export script. Severity We consider this...

XSS in setup.

PMASA-2011-16 Announcement-ID: PMASA-2011-16 Date: 2011-10-17 Summary XSS in setup. Description Crafted values entered in the setup interface can produce XSS; also, if the config directory exists and is writeable, the XSS payload can be saved to this directory. Severity We consider this...

XSS attack on setup script.

PMASA-2010-7 Announcement-ID: PMASA-2010-7 Date: 2010-09-08 Summary XSS attack on setup script. Description It was possible to conduct a XSS attack using spoofed request to setup script. Severity We consider this vulnerability to be non critical. Affected Versions For 3.x: versions before 3.3.7 a...

XSS on plausible insecure PHP installation

PMASA-2008-4 Announcement-ID: PMASA-2008-4 Date: 2008-06-23 Summary XSS on plausible insecure PHP installation Description We received an advisory from Tim Starling Wikimedia, and we wish to thank him for his work. Some scripts in the /libraries directory were vulnerable to XSS. Severity We...

Several security issues were reported to BugTraq mailing list. However most of these issues were already fixed some time ago.

PMASA-2003-1 Announcement-ID: PMASA-2003-1 Date: 2003-06-18 Summary Several security issues were reported to BugTraq mailing list. However most of these issues were already fixed some time ago. Description Reporter wrote that he found following issues within phpMyAdmin code each issue is followed...

Open redirection

PMASA-2016-57 Announcement-ID: PMASA-2016-57 Date: 2016-11-25 Summary Open redirection Description A vulnerability was discovered where a user can be tricked in to following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the...

XSRF/CSRF vulnerability in phpMyAdmin setup.

PMASA-2015-2 Announcement-ID: PMASA-2015-2 Date: 2015-05-13 Summary XSRF/CSRF vulnerability in phpMyAdmin setup. Description By deceiving a user to click on a crafted URL, it is possible to alter the configuration file being generated with phpMyAdmin setup. Severity We consider this vulnerability...

DoS vulnerability with long passwords.

PMASA-2014-17 Announcement-ID: PMASA-2014-17 Date: 2014-12-03 Summary DoS vulnerability with long passwords. Description With very long passwords it was possible to initiate a denial of service attack on phpMyAdmin. Severity We consider this vulnerability to be serious. Mitigation factor This...

Path disclosure due to missing verification of file presence.

PMASA-2012-2 Announcement-ID: PMASA-2012-2 Date: 2012-03-28 Summary Path disclosure due to missing verification of file presence. Description The showconfigerrors.php scripts did not validate the presence of the configuration file, so an error message shows the full path of this file, leading to...

XSS in export.

PMASA-2011-20 Announcement-ID: PMASA-2011-20 Date: 2011-12-21 Summary XSS in export. Description Using crafted url parameters, it was possible to produce XSS on the export panels in the server, database and table sections. Severity We consider these vulnerabilities to be non critical. Mitigation...

Insufficient output sanitizing when generating configuration file.

PMASA-2010-4 Announcement-ID: PMASA-2010-4 Date: 2010-08-20 Summary Insufficient output sanitizing when generating configuration file. Description The setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration...

Insufficient output sanitizing when generating configuration file.

PMASA-2009-3 Announcement-ID: PMASA-2009-3 Date: 2009-03-24 Summary Insufficient output sanitizing when generating configuration file. Description Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file...

SQL injection vulnerability (Delayed Cross Site Request Forgery)

PMASA-2008-1 Announcement-ID: PMASA-2008-1 Date: 2008-03-01 Updated: 2008-03-03 Summary SQL injection vulnerability Delayed Cross Site Request Forgery Description We received an advisory from Richard Cunningham, and we wish to thank him for his work. phpMyAdmin used the $$REQUEST superglobal as a...

XSS vulnerabilities

PMASA-2007-6 Announcement-ID: PMASA-2007-6 Date: 2007-10-17 Updated: 2007-10-24 Summary XSS vulnerabilities Description We received an advisory from Omer Singer, The DigiTrust Group, and we wish to thank him for his work. It was possible to trigger this attack on serverstatus.php. Our team fixed...

Path disclosure

PMASA-2005-2 Announcement-ID: PMASA-2005-2 Date: 2005-02-26 Summary Path disclosure Description By calling some scripts that are part of phpMyAdmin in an unexpected way especially scripts in the libraries subdirectory, it is possible to trigger phpMyAdmin to display a PHP error message which...

Two factor authentication bypass

PMASA-2022-1 Announcement-ID: PMASA-2022-1 Date: 2022-01-10 Summary Two factor authentication bypass Description There is a sequence of actions a valid user can take that will allow them to bypass two factor authentication for that account. A user must first connect to phpMyAdmin presumably using...

Multiple vulnerabilities in setup script

PMASA-2016-44 Announcement-ID: PMASA-2016-44 Date: 2017-01-24 Summary Multiple vulnerabilities in setup script Description A server-side request forgery vulnerability was reported with the setup script. This flaw can allow an unauthenticated attacker to: 1. brute-force passwords of MYSQL servers...

Multiple DOS vulnerabilities

PMASA-2016-65 Announcement-ID: PMASA-2016-65 Date: 2016-11-25 Updated: 2016-12-06 Summary Multiple DOS vulnerabilities Description With a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature. With a crafted request parameter value it is...

SQL injection attack

PMASA-2016-39 Announcement-ID: PMASA-2016-39 Date: 2016-07-14 Summary SQL injection attack Description A vulnerability was discovered in the following features where a user can execute an SQL injection attack against the account of the control user: User group Designer Severity We consider this...