The urgent vulnerability allows an authenticated attacker to exploit a phpMyAdmin feature to show and potentially execute files on the server. PHP open_basedir restrictions mitigate the effect of this flaw. For further details, see the PMASA announcement.
A second flaw was also fixed allowing an attacker to use a specially crafted database name to trick a user in to executing a cross-site scripting (XSS) attack in the Designer feature.
In addition to the security fixes, this release also includes these bug fixes as part of our regular release cycle:
- WHERE 0 clause causes a fatal error
- Fix missing "INDEX" icon
Friday, June 22, 2018