Announcement-ID: PMASA-2016-27
Date: 2016-06-23
Unsafe handling of preg_replace parameters
In some versions of PHP, it's possible for an attacker to pass parameters to the preg_replace() function which can allow the execution of arbitrary PHP code. This code is not properly sanitized in phpMyAdmin as part of the table search and replace feature.
We consider this vulnerability to be of moderate severity.
Using PHP version 5.4.6 or newer doesn't allow null termination of the preg_replace string parameter. PHP since 7.0 doesn't allow code execution in preg_replace at all.
All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected
Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patch listed below.
Thanks to Michal Čihař and Cure53 using RIPS for discovering these vulnerabilities.
Assigned CVE ids: CVE-2016-5734
CWE ids: CWE-661
The following commits have been made on the 4.0 branch to fix this issue:
The following commits have been made on the 4.4 branch to fix this issue:
The following commits have been made on the 4.6 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.