PMASA-2016-19

Announcement-ID: PMASA-2016-19

Date: 2016-06-23

Summary

SQL injection attack

Description

A vulnerability was discovered that allows an SQL injection attack to run arbitrary commands as the control user.

Severity

We consider this vulnerability to be serious

Mitigation factor

This attack requires a controluser to exist and be configured in `config.inc.php`, therefore the attack can be mitigated by temporarily disabling the controluser.

Affected Versions

Versions 4.6.x (prior to 4.6.3) and 4.4.x (prior to 4.4.15.7) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7 or newer or apply patch listed below.

References

Thanks to Brian "geeknik" Carpenter for reporting this vulnerability.

Assigned CVE ids: CVE-2016-5703

CWE ids: CWE-661

Patches

The following commits have been made on the 4.6 branch to fix this issue:

The following commits have been made on the 4.4 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements