phpMyAdmin Bringing MySQL to the web

A flaw was identified in how phpMyAdmin processes two factor authentication; a user could potentially manipulate their account to bypass two factor authentication in subsequent authentication sessions (PMASA-2022-1) (affects both 4.9 and 5.1).

A series of weaknesses was identified allowing a malicious user to submit malicious information to present an XSS or HTML injection attack in the graphical setup page (PMASA-2022-2) (affects 5.1 only; not 4.9).

In some scenarios, potentially sensitive information such as a the database name can be part of the URL. This can now be optionally encrypted. There are two new configuration directives relating to this improvement: $cfg['URLQueryEncryption'] and $cfg['URLQueryEncryptionSecretKey']. This encryption can be enabled by setting URLQueryEncryption to true in your config.inc.php. Thanks to Rich Grimes https://twitter.com/saltycoder for suggesting this improvement (affects both 4.9 and 5.1).

During a failed log on attempt, the error message reveals the target database server's hostname or IP address. This can reveal some information about the network infrastructure to an attacker. This information can now be suppressed through the $cfg['Servers'][$i]['hide_connection_errors'] directive. Thanks to Dr. Shuzhe Yang, Manager Security Governance at GLS IT Services for suggesting this improvement (affects both 4.9 and 5.1).

Leave a Comment