phpMyAdmin has announced that it has released an update for phpMyAdmin 4.9 and 5.1 to fix XSS/HTML injection attacks and display of sensitive information in URL.
phpMyAdmin 4.9.8 and 5.1.2 security updates release
phpMyAdmin security update involves a flaw that was identified in two-factor authentication. It was discovered that it was possible for a malicious user to bypass two authentications in subsequent authentication sessions (PMASA-2022-1) in phpMyAdmin version 4.9 and 5.1.
The update also fixes a security issue in 5.1 where a hacker could submit malicious information to present an XSS or HTML injection attack in the graphical setup page (PMASA-2022-2).
Sensitive information like the database name could also be viewed in the URL. This can be fixed by enabling URLQueryEncryption in your config.inc.php.
Lastly, a failed login attempt error could reveal the database hostname or IP address. This can be fixed with $cfg[‘Servers’][$i][‘hide_connection_errors’] directive
If you are on shared hosting, you do not have to worry as your host will take care of such updates.
Other updates in 5.2.0 (RC1) include but are not limited to
- Microsoft Internet Explorer will not be supported
- The minimum PHP version required is 7.2+
- openssl PHP extension must be enabled
- Mroonga engine supported added
- Account locking supported added
- SQL parser library improvements
Here are more details about phpMyAdmin 4.9.8, 5.1.2, and 5.2.0 release.