Unsafe handling of preg_replace parameters
In some versions of PHP, it's possible for an attacker to pass parameters to the
preg_replace() function which can allow the execution of arbitrary PHP code. This code is not properly sanitized in phpMyAdmin as part of the table search and replace feature.
We consider this vulnerability to be of moderate severity.
Using PHP version 5.4.6 or newer doesn't allow null termination of the preg_replace string parameter. PHP since 7.0 doesn't allow code execution in preg_replace at all.
All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 220.127.116.11), and 4.0.x versions (prior to 18.104.22.168) are affected
Upgrade to phpMyAdmin 4.6.3, 22.214.171.124, or 126.96.36.199 or newer or apply patch listed below.
Assigned CVE ids: CVE-2016-5734
CWE ids: CWE-661
The following commits have been made on the 4.0 branch to fix this issue:
The following commits have been made on the 4.4 branch to fix this issue:
The following commits have been made on the 4.6 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.