Bringing MySQL to the web


Announcement-ID: PMASA-2013-4

Date: 2013-04-24


Local file inclusion vulnerability.


In the Export feature, a parameter specifying the export type was not correctly validated, opening the door to a local file inclusion attack.


We consider this vulnerability to be serious.

Mitigation factor

This vulnerability can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users to access the required form.

Affected Versions

phpMyAdmin versions 4.x (prior to 4.0.0-rc3).


Upgrade to phpMyAdmin 4.0.0-rc3 or newer.


Thanks to Janek Vind for reporting this issue.

Assigned CVE ids: CVE-2013-3240

CWE ids: CWE-661 CWE-98

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is