cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New

phpmyAdmin critical vulnerability affecting versions 4.7.x(prior 4.7.7)

A new phpmyAdmin vulnerability has been disclosed which severely affects databases (deleting data).

When I went to check my shared hosting phpmyadmin version I notice as it has not been update since 2016/11/24 and the version they using is 4.0.10.18.

I immediately called godaddy but they don't have a patching in place yet. It has been 1 year and they keep outdated apps on server.

At this moment the server still has outdate phpmyadmin and I don't know when are they going to patch it.

There isn't a phone number for emergency contact. Nor an email. The phone numbers they have cannot help (they say the team responsible for patching shared hosting apps don't have a date in place to patch this), and it has been 1 year.

Thank God I'm not hosting an ecommerce site with them, which would severely affect my customers database.

Very disappointing GoDaddy. I guess it's time to switch ... Smiley Sad

1 REPLY 1
New

Re: phpmyAdmin critical vulnerability affecting versions 4.7.x(prior 4.7.7)

Below is the latest phpmyAdmin ChangeLog:

phpMyAdmin - ChangeLog

phpMyAdmin - ChangeLog
phpMyAdmin - ChangeLog
======================

4.0.10.18 (2016-11-24)
- issuebug #12485 Do not show warning about short blowfish_secret if none is set
- issue        [security] Open redirection issue, see PMASA-2016-57
- issue        [security] Unsafe generation of $cfg['blowfish_secret'], see PMASA-2016-58
- issue        [security] phpMyAdmin's phpinfo functionality is removed, see PMASA-2016-59
- issue        [security] AllowRoot and allow/deny rule bypass with specially-crafted username, see PMASA-2016-60
- issue        [security] Username matching weaknesses with allow/deny rules, see PMASA-2016-61
- issue        [security] Full path disclosure (FPD) weaknesses, see PMASA-2016-63
- issue        [security] Multiple cross-site scripting (XSS) weaknesses, see PMASA-2016-64
- issue        [security] Multiple denial-of-service (DOS) vulnerabilities, see PMASA-2016-65
- issue        [security] Possible to bypass white-list protection for URL redirection, see PMASA-2016-66
- issue        [security] Multiple SQL injection vulnerabilities, see PMASA-2016-69
- issue        [security] Incorrect serialized string parsing, see PMASA-2016-70
- issue        [security] CSRF token not stripped from the URL, see PMASA-2016-71