A new phpmyAdmin vulnerability has been disclosed which severely affects databases (deleting data).
When I went to check my shared hosting phpmyadmin version I notice as it has not been update since 2016/11/24 and the version they using is 22.214.171.124.
I immediately called godaddy but they don't have a patching in place yet. It has been 1 year and they keep outdated apps on server.
At this moment the server still has outdate phpmyadmin and I don't know when are they going to patch it.
There isn't a phone number for emergency contact. Nor an email. The phone numbers they have cannot help (they say the team responsible for patching shared hosting apps don't have a date in place to patch this), and it has been 1 year.
Thank God I'm not hosting an ecommerce site with them, which would severely affect my customers database.
Very disappointing GoDaddy. I guess it's time to switch ... 😞
Below is the latest phpmyAdmin ChangeLog:
phpMyAdmin - ChangeLog
phpMyAdmin - ChangeLog phpMyAdmin - ChangeLog ====================== 126.96.36.199 (2016-11-24) - issuebug #12485 Do not show warning about short blowfish_secret if none is set - issue [security] Open redirection issue, see PMASA-2016-57 - issue [security] Unsafe generation of $cfg['blowfish_secret'], see PMASA-2016-58 - issue [security] phpMyAdmin's phpinfo functionality is removed, see PMASA-2016-59 - issue [security] AllowRoot and allow/deny rule bypass with specially-crafted username, see PMASA-2016-60 - issue [security] Username matching weaknesses with allow/deny rules, see PMASA-2016-61 - issue [security] Full path disclosure (FPD) weaknesses, see PMASA-2016-63 - issue [security] Multiple cross-site scripting (XSS) weaknesses, see PMASA-2016-64 - issue [security] Multiple denial-of-service (DOS) vulnerabilities, see PMASA-2016-65 - issue [security] Possible to bypass white-list protection for URL redirection, see PMASA-2016-66 - issue [security] Multiple SQL injection vulnerabilities, see PMASA-2016-69 - issue [security] Incorrect serialized string parsing, see PMASA-2016-70 - issue [security] CSRF token not stripped from the URL, see PMASA-2016-71