Bringing MySQL to the web


Announcement-ID: PMASA-2012-7

Date: 2012-10-12


Fetching the version information from a non-SSL site is vulnerable to a MITM attack.


To display information about the current phpMyAdmin version on the main page, a piece of JavaScript is fetched from the website in non-SSL mode. A man-in-the-middle could modify this script on the wire to cause mischief.


We consider this vulnerability to be non critical.

Affected Versions

Versions 3.5.x before 3.5.3 are affected.


Upgrade to phpMyAdmin 3.5.3 or newer or apply the patches listed below. The fix involves fetching a JSON file rather than a JavaScript file.


Thanks to Mike Cardwell for reporting this issue and suggesting workarounds.

Assigned CVE ids: CVE-2012-5368

CWE ids: CWE-661 CWE-300


The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is