Announcement-ID: PMASA-2016-69
Date: 2016-11-25
Updated: 2016-12-06
Multiple SQL injection vulnerabilities
With a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database.
Edited to correct an incorrect commit ID for the 4.0 branch.
We consider these vulnerabilities to be serious.
All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch listed below.
Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.
Assigned CVE ids: CVE-2016-9864
The following commits have been made on the 4.0 branch to fix this issue:
The following commits have been made on the 4.4 branch to fix this issue:
The following commits have been made on the 4.6 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.