phpMyAdmin 4.8.5 releases: fix arbitrary file read & SQL injection vulnerability
phpMyAdmin is a free software tool written in PHP that is intended to handle the administration of a MySQL or MariaDB database server. You can use phpMyAdmin to perform most administration tasks, including creating a database, running queries, and adding user accounts.
phpMyAdmin 4.8.5 was released to fix two critical security flaws. The security vulnerabilities are below:
CVE-2019-6799: arbitrary file read vulnerabilityAn issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server’s user can access. This is related to the mysql.allow_local_infile PHP configuration, and the inadvertent ignoring of “options(MYSQLI_OPT_LOCAL_INFILE” calls.CVE- 2019-6798: SQL injectionA vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature.
