phpMyAdmin updates close critical security holes
Versions 220.127.116.11 and 18.104.22.168 of phpMyAdmin close a total of four security holes in the open source database administration tool. According to the phpMyAdmin developers, the security releases address two "critical" vulnerabilities that could lead to possible session manipulation in swekey authentication or remote code execution. A "serious" bug that could allow an attacker to perform a local file inclusion and a "minor" cross-site scripting (XSS) hole have also been fixed.
Versions 22.214.171.124 and earlier are affected. The 2.11.x branch, which reached its end of life earlier this month, is not affected by the session manipulation hole, but may be affected by the others. All users are advised to update to the latest versions. Alternatively, users can apply the provided patches.
More details about the holes closed in the updates can be found in the project's security advisories. Versions 126.96.36.199 and 188.8.131.52 of phpMyAdmin are available to download from the project's site. Hosted on SourceForge, phpMyAdmin is made available under version 2 of the GNU General Public License (GPLv2).
- XSS in table Print view, a phpMyAdmin security advisory.
- Local file inclusion, a phpMyAdmin security advisory.
- Local file inclusion vulnerability and code execution, a phpMyAdmin security advisory.
- Possible session manipulation in swekey authentication, a phpMyAdmin security advisory.