phpMyAdmin News

The phpMyAdmin team is pleased to announce the release of phpMyAdmin version
5.2.1. This is a bugfix release that also contains a security fix for an XSS
vulnerability in the drag-and-drop upload functionality (PMASA-2023-01). We
are also releasing version 4.9.11 which exclusively fixes the XSS
vulnerability.

This release of 5.2.1 contains many bug fixes.

Some highlights include: - issue #17506 Fix error when configuring 2FA
without XMLWriter or Imagick - issue #17519 Fix Export pages not working in
certain conditions - issue #17121 Fix password_hash function incorrectly
adding single quotes to password before hashing - issue #17736 Add utf8mb3
as an alias of utf8 on the charset description page - issue #17248 Support
the UUID data type for MariaDB >= 10.7 - issue #16042 Fixes malformed
downloads when using gzip compression type and FireFox browser - Add
spellcheck="false" to all password fields and some text fields to avoid
spell-jacking data leaks - Fixes for JavaScript errors when using Designer -
Fixes for PHP 8.2 compatibility... read more

Welcome to the release of phpMyAdmin version 5.2.0. This release contains many
new features and quite a few bug fixes. We are simultaneously releasing
phpMyAdmin 5.1.4, which is the last release of the 5.1 line and is mostly
intended to help downstream packaging teams. Most users should migrate to
5.2.0.

Most notably, these releases resolve a networking error when exporting a file
(https://github.com/phpmyadmin/phpmyadmin/issues/17445).... read more

The phpMyAdmin team announces the release of versions 4.9.10 and 5.1.3.

These versions primarily address a regression that caused the navigation pane
to not function correctly when multiple pages of tables were shown.

Version 5.1.3 includes a security hardening improvement. The issue, reported
by Rafael Pedrero, could allow users to cause an error that would reveal the
path on disk where phpMyAdmin is running from. We believe this requires the
server to be running with display_errors on, which is not the recommended
setting for a production environment.... read more

Welcome to the release of phpMyAdmin version 4.9.9. This is a release to fix
two issues with the 4.9.8 release. We apologize for the inconvenience.

Fixed since phpMyAdmin 4.9.8:

• Fix a syntax error preventing use with PHP 5
• An error was shown regarding the new "hide_configuration_errors" directive when a controluser is set

Fixed in phpMyAdmin 4.9.8:

• Fix for a user potentially being able to disable their two factor authentication (PMASA-2022-1)
• Add a new configuration directive $cfg['URLQueryEncryption'] to allow encrypting sensitive information in the URL to prevent disclosure. Thanks to Rich Grimes https://twitter.com/saltycoder for suggesting this improvement
• Add a new configuration directive $cfg['Servers'][$i]['hide_connection_errors'] to allow hiding the full error message when a log on attempt fails, which can leak hostnames or IP addresses of the target database server. Thanks to Dr. Shuzhe Yang, Manager Security Governance at GLS IT Services for suggesting this improvement... read more

The phpMyAdmin project announces several new releases:

• 4.9.8, which fixes some security flaws
• 5.1.2, which fixes some security flaws and contains many bug fixes including better PHP 8.0 and 8.1 compatibility
• 5.2.0-rc1, a testing version introducing many new features

Security fixes (affected versions as noted)

A flaw was identified in how phpMyAdmin processes two factor authentication; a
user could potentially manipulate their account to bypass two factor
authentication in subsequent authentication sessions (PMASA-2022-1)
(affects both 4.9 and 5.1).... read more

The infrastructure team would like to acknowledge the work of security
researcher Joël Aviad Ossi from pentest in helping us
improve some security weaknesses in our infrastructure. No user data was at
risk nor were our downloads vulnerable at any time; this is simply a note of
appreciation rather than a disclosure.

Thanks Joël for your assistance. Anyone with security concerns about the
project is always welcome to contact the team directly through the email link
at https://www.phpmyadmin.net/security/.... read more

We at the phpMyAdmin project are pleased to release phpMyAdmin 5.1.1, a bugfix
release.

There are many new bug fixes; a few highlights include:

• Fixes for several PHP errors
• Fixes for "$cfg['DefaultTabDatabase']" and other related configuration directives not working properly
• Fix Yaml export to quote strings even when they are numeric
• Fix TCPDF open_basedir issue due to internal guessing code from TCPDF
• Fix for quick search not working when using more than one configured server
• Fix datetime decimals displayed (.00000) after edit
• Fix new lines in text fields are doubled
• Fixed URL generation by removing un-needed & escaping for & char
• Improvements for working with PHP 8.1
• Improved handling of adding a new user with the Percona database server... read more

We at the phpMyAdmin project are pleased to publish phpMyAdmin 5.1.0.

There are many new features and bug fixes; a few highlights include:

• Improve virtuality dropdown for MariaDB > 10.1
• Added an option to perform ALTER ONLINE (ALGORITHM=INPLACE) when editing a table structure
• Added ip2long transformation
• Improvements to linking to MySQL and MariaDB documentation
• Add "Preview SQL" option on Index dialog box when creating a new table
• Add a new vendor constant "CACHE_DIR" that defaults to "libraries/cache/" and store routing cache into this folder
• Add $cfg['CaptchaSiteVerifyURL'] for Google ReCaptcha siteVerifyUrl
• Add the password_hash PHP function as an option when inserting data
• Improvements to editing and displaying columns of the JSON data type.
• Added support for "SameSite=Strict" on cookies using configuration "$cfg['CookieSameSite']"
• Fixed AWS RDS IAM authentication doesn't work because pma_password is truncated
• Add config parameters to support third-party ReCaptcha v2 compatible APIs like hCaptcha
• Add $cfg['MysqlSslWarningSafeHosts'] to set the red text black when ssl is not used on a private network
• Export blobs as hex on JSON export
• Fix leading space not shown in a CHAR column when browsing a table
• Added a rename Button to use RENAME INDEX syntax of MySQL 5.7 (and MariaDB >= 10.5.2)
• Fixed missing option to enter TABLE specific permissions when the database name contains an "_" (underscore)
• Fixed a PHP notice "Trying to access array offset on value of type null" on Designer PDF export
• Fix for several PHP 8 warnings or errors, giving this release full compatibility with PHP 8... read more

Welcome to the release of phpMyAdmin version 4.9.7 and 5.0.4. These are bug
fix releases to address packaging problems with 4.9.6 and 5.0.3. Version 5.0.3
includes a few other minor bugs as well.

Fixed in both:

• Two factor authentication was broken
• Incompatibilities with older PHP versions.

Additional fixes in 5.0.3:

• Fix for cleared search values when a Zoom search fails
• Fix a PHP error when reporting a certain JavaScript error
• Fixed latitude and longitude swap for geometries in edit mode
• Fix CREATE TABLE not being tracked when auto tracking is enabled... read more

Hello,

The phpMyAdmin team announces the release of both phpMyAdmin versions 4.9.6
and 5.0.3.

Both versions contain several important security fixes:

• PMASA-2020-5 XSS vulnerability with transformation feature
• PMASA-2020-6 SQL injection vulnerability with the search feature

In addition, 5.0.3 contains many bugfixes. Some of the highlights include:

• Fix an error message about htmlspecialchars() when attempting to export XML
• Support double tapping to edit on mobile
• Fix the error message "Use of undefined constant MYSQLI_TYPE_JSON" when using mysqlnd
• Fix fatal JS error on index creation after using Enter key to submit the form
• Fix "axis-order" to swap latitude and longitude on MySQL 8.1 or newer
• Fix an error when overwriting an existing query bookmark
• Fix some warnings that appear with PHP 8
• Fix alter user privileges query when editing an account with MySQL 8.0.11 and newer
• Fix issues regarding TIMESTAMP columns with default CURRENT_TIMESTAMP in MySQL 8.0.13 and newer
• Fix a message that "Warning: error_reporting() has been disabled for security reasons" on php 7.x... read more

Hello,

The phpMyAdmin team announces the release of both 4.9.5 and 5.0.2.

Both versions contain several security fixes:

• PMASA-2020-2 SQL injection vulnerability in the user accounts page, particularly when changing a password
• PMASA-2020-3 SQL injection vulnerability relating to the search feature
• PMASA-2020-4 SQL injection and XSS having to do with displaying results
• Removing of the "options" field for the external transformation.... read more

The phpMyAdmin team announces the release of versions 4.9.4 and 5.0.1.

As a reminder, version 4.x is in the LTS phase, where only security fixes and
critical bug fixes are made. Users are suggested to migrate to version 5.

These releases address two issues, a problem with two-factor authentication
that was introduced with the last releases, and a fix for an SQL injection
vulnerability that was reported by CSW Research Labs
https://twitter.com/cswcyberworks. This vulnerability is assigned
PMASA-2020-1 and requires that the attacker have logged in through a valid
MySQL account.... read more

Welcome to the release of phpMyAdmin version 5.0.0. This release is occurring
simultaneously with version 4.9.3; except for users with old PHP
installations, version 5.0.0 is the recommended version.

This release includes many new features and improvements from the 4.9 series.
We expect to maintain version 4 in a security capacity to support users with
older PHP installations. For full details about supported versions and end of
life dates, see the "Supported versions" grid at
https://www.phpmyadmin.net/downloads/.... read more

Welcome to phpMyAdmin 4.9.3, a routine bugfix release. This release is
occurring simultaneously with the release of phpMyAdmin 5.0.0, which is our
recommended version except for users with older PHP installations.

This is planned as the final bugfix release of phpMyAdmin version 4. Version 4
works with PHP versions 5.5 through (at least) 7.4, and MySQL versions 5.5
and newer (and the corresponding MariaDB versions). Version 5 will require
PHP 7.1 or newer, but we plan to maintain security fixes for version 4 as part
of our LTS program. For end of life details and supported versions, please see
the "Supported versions" grid at https://www.phpmyadmin.net/downloads/.... read more

Welcome to the first release candidate of phpMyAdmin 5.0.0. This release features a great number of new features and bug fixes.

This is expected to be the final release candidate before 5.0.0 is finalized. Please visit https://github.com/phpmyadmin/phpmyadmin/milestones to stay updated on the expected release date and known bugs.

Since 5.0.0-alpha1, there have been several bugfixes, none of which are particularly notable. For a complete comparison, you could visit https://github.com/phpmyadmin/phpmyadmin/compare/RELEASE_5_0_0ALPHA1..RELEASE_5_0_0RC1.... read more

Welcome to phpMyAdmin 4.9.2, a bugfix release that also contains a security fix.

This security fix is part of an ongoing effort to improve the security of the Designer feature and is designated PMASA-2019-5. There is also an improvement for how we sanitize Git version information shown on the home page, thanks to Ali Hubail.

This release includes fixes for many bugs, including:

• Fixes for the "Failed to set session cookie" error which relates to the cookie name. In some cases, data stored in the cookie (such as the previously-used user account) may not be loaded from a previous phpMyAdmin cookie the first time you run version 4.9.2
• Fix for Advisor with MySQL 8.0.3 and newer
• Fix PHP deprecation errors
• Fix a situation where exporting users after a delete query could remove users
• Fix incorrect "You do not have privileges to manipulate with the users!" warning
• Fix copying a database's privileges and several other problems moving columns with MariaDB
• Fix for phpMyAdmin not selecting all the values when using shift-click to select during Export... read more

Welcome to phpMyAdmin 4.9.1, a bugfix release.

This is a regularly-schedule bugfix release that also includes some security hardening measures.

We wish to point out that this also includes a routine fix for an issue that has been reported as CVE-2019-12922. The fix for this has been in our release queue to be part of this release, however it is the opinion of the team that the reported attack vector did not justify a separate release.... read more

Overall, it’s been a great experience and I loved how google promotes students
to actively participate in open source projects. Personally, I got to learn a
lot of things while working with PhpMyAdmin right from February this year. I
am thankful to the mentors Isaac Bennetch,
Saksham Gupta, William Desportes, Deven Bansod
and other community members for helping me through out the project.... read more

So finally it’s here, “The final week of GSoC 2019”. At this point, we
students need to submit code and evaluations and provide mentors all the
details so that they could evaluate us.

On the issue “Designer should show tables from other databases by
default”, this week I
reached at a state where I can successfully save the coordinates and all the
relevant details required to save a table in a page of the designer but the
point where I was stuck was that how to print all the tables(both from the
main database and the other database whose tables were added to the page). I
tried a lot of things and faced many weird issues too like once when I wanted
to print some variables on the page, I updated the main.twig file of the
designer but no idea why, the designer page stopped loading and after a lot of
efforts, I recovered this by deleting all the tables and pages data stored in
the pma__pdf_pages and pma__tables_coords table of the phpmyadmin’s
databases. During this issue, I tried a lthe time stayot of things and also
faced a lot of issues, specially when I tried to display the tables on the
page(when opened a page). I talked to my mentor Isaac regarding the same and
we decided to hold it for a while and complete the other things before time.
So I created a
PR(incomplete as of
now as the tables are being stored correctly but not retrieved correctly right
now).... read more

Here is the second last working week of GSoC 2019. During this week(actually
it’s more than a week, almost 10 days I guess), I looked into 2 issue which
are “Designer should show tables from other databases by
default” and
“Designer page save fails if dB name contains
period.”

While resolving the issue “Designer should show tables from other databases
by default”, I have
gone through the related discussion the code written by Raghuram Vadapalli in
this PR. Last week I
thought I have successfully reproduced the issue but while thinking of the
approach I got to know that I was wrong, actually I was not able to form
relations between between tables of the other databases. Thus I asked for the
steps to reproduce the same with the mentors and also posted the same on the
issue. I observed that even when there is no relation between tables of the
different databases, we couldn’t save the page successfully. For this, I first
looked at the code for displaying tables from other databases(by Raghuram
Vadapalli), also I discussed the same with Raghuram sir for a possible
solution but since he was not in touch with the organization for a while now
so he couldn’t help me here. Isaac sir suggested, “What the solution should do
is look in the phpMyAdmin configuration storage database (pmadb) and, if
there’s a reference to the current database and another database, it should
automatically show the other database”. With these initial suggestions and by
looking at the code Raghuram sir, I thought that as per the display code, we
can just add tables from 2 databases only but later on while adding the tables
from multiples database, it’s successfully adding the tables. The additional
layer(to save pages with tables from different database) should also work
with any number of databases. I started with this(actually in starting I
thought we can add tables just from 2 databases, which is wrong) and started
tracking the database variable.... read more

The main task of my project was to implement a more consistent UI for
phpMyAdmin. This was achieved by applying bootstrap4 classes to the code an
making corresponding changes in css files.

Weekly posts regarding my work are listed below:
-> https://pmagsocproject.wordpress.com/2019/06/26/gsoc-pmaweek1/
-> https://pmagsocproject.wordpress.com/2019/06/26/gsoc-pmaweek-2/
-> https://pmagsocproject.wordpress.com/2019/06/26/gsoc-pmaweek3/
-> https://pmagsocproject.wordpress.com/2019/06/26/gsoc-pma-week4/
-> https://pmagsocproject.wordpress.com/2019/07/11/gsoc-pma-week-5/
-> https://pmagsocproject.wordpress.com/2019/07/24/gsoc-pma-week6/
-> https://pmagsocproject.wordpress.com/2019/07/24/gsoc-pmaweek7/
-> https://pmagsocproject.wordpress.com/2019/08/04/gsoc-pmaweek8/
-> https://pmagsocproject.wordpress.com/2019/08/13/gsoc-pma-week-9/

The following PR’s were opened by me that addresses all the work done by me

(some of these are still in work).

[open/ merged]

-> https://github.com/phpmyadmin/phpmyadmin/pull/15320 ,

[

https://github.com/phpmyadmin/phpmyadmin/pull/15302](https://github.com/phpmyadmin/phpmyadmin/pull/15302)

Applies grid structure over all the pages.
-> https://github.com/phpmyadmin/phpmyadmin/pull/15369 : Applies card classes and sub classes like card-body to convert boxes into card form.
->https://github.com/phpmyadmin/phpmyadmin/pull/15392 : Applies table classes to the tables.
-> https://github.com/phpmyadmin/phpmyadmin/pull/15400 ,
https://github.com/phpmyadmin/phpmyadmin/pull/15364:
Form classes applied.
-> https://github.com/phpmyadmin/phpmyadmin/pull/15419 : local UL lists converted to navs.
[closed]
-> https://github.com/phpmyadmin/phpmyadmin/pull/15298
-> https://github.com/phpmyadmin/phpmyadmin/pull/15299
-> https://github.com/phpmyadmin/phpmyadmin/pull/15361

I had a great working experience with phpMyAdmin community. and got to learn a
lot over the period of these three months. At times, i faced problems but the
people here make the work easier and guided me through various things.
I will try to keep contributing to phpMyAdmin in future.... read more

One of the problem I was facing last week has finally been resolved. In one of
the issue, “Designer Save as
enhancement”, earlier
the changes were happening as expected but the problem was that it works only
when we have a alert message. It doesn’t work without alert message(in last
week, I wasn’t able to figure out why). Later on looking into the things, I
figured out that there was a problem of synchronization here. To resolve this,
I searched for a while and later on found .ajaxStop(). AjaxStop():
Register a handler to be called when all Ajax requests have completed.
“Whenever an Ajax request completes, jQuery checks whether there are any other
outstanding Ajax requests. If none remain, jQuery triggers the ajaxStop event.
Any and all handlers that have been registered with the .ajaxStop() method
are executed at this time. The ajaxStop event is also triggered if the last
outstanding Ajax request is cancelled by returning false within the beforeSend
callback function”(Source: https://api.jquery.com/ajaxStop/). Finally I
created a PR to resolve
the issue correctly.... read more

Converted the ul’s on the top of some pages to navs.
Also worked on the top bar of the pages.
Added more commits to the earlier opened PR’s of tables, forms.
With these, I have dealt with most of the elements. Now, will look at the
final improvements and required changes.
The PR related to the navs class is:
-> https://github.com/phpmyadmin/phpmyadmin/pull/15419

link

Last to last week we had our phase-2 evaluations and with the help of mentors,
I successfully passed in the evaluation. For this evaluation, I thank to my
mentors Isaac Bennetch, Deven Bansod, Saksham Gupta and William Desportes.

My mentors review was:
“ You’re continuing adequately with the project. You continue to produce code
that is consistent with my expectations. In the past week, your communication
has improved as we approached the deadline. Remember that regular blog posts
are how the community and the group of mentors follows your progress, so stay
on top of them, and even if a portion of code is undergoing review, further
decision, or hasn’t yet been merged there should be other areas to work on.
Keep pushing through and remember that the community has insight to help if
you get stuck or need guidance. William and Saksham are both great resources
aside from your mentor who are quite interested in the work you’re doing.”... read more

Table classes have been added to the remaining pages of pma.
Done with applying form related classes to elements of forms like ‘form-
control’ to ‘legends’ and ‘select’ , ‘form-check, form-check-input, form-
check-label’ to the ‘divs, checkboxes, associated labels’ respectively , etc.
The work can be seen in the following PR.
-> https://github.com/phpmyadmin/phpmyadmin/pull/15400

link