• GoDaddy Community
  • cPanel Hosting

    • cPanel Hosting

    cancel
    Turn on suggestions
    Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
    Showing results for 
    Show  only  | Search instead for 
    Did you mean: 
    samet
    New
    ‎01-03-2018 08:56 AM
    ‎01-03-2018 08:56 AM

    phpmyAdmin critical vulnerability affecting versions 4.7.x(prior 4.7.7)

    A new phpmyAdmin vulnerability has been disclosed which severely affects databases (deleting data).

    When I went to check my shared hosting phpmyadmin version I notice as it has not been update since 2016/11/24 and the version they using is 4.0.10.18.

    I immediately called godaddy but they don't have a patching in place yet. It has been 1 year and they keep outdated apps on server.

    At this moment the server still has outdate phpmyadmin and I don't know when are they going to patch it.

    There isn't a phone number for emergency contact. Nor an email. The phone numbers they have cannot help (they say the team responsible for patching shared hosting apps don't have a date in place to patch this), and it has been 1 year.

    Thank God I'm not hosting an ecommerce site with them, which would severely affect my customers database.

    Very disappointing GoDaddy. I guess it's time to switch ... 😞

    Product:
    0 Kudos
    Reply
    1 REPLY 1
    samet
    New
    ‎01-03-2018 09:00 AM
    ‎01-03-2018 09:00 AM

    Below is the latest phpmyAdmin ChangeLog:

    phpMyAdmin - ChangeLog

    phpMyAdmin - ChangeLog
phpMyAdmin - ChangeLog
======================

4.0.10.18 (2016-11-24)
- issuebug #12485 Do not show warning about short blowfish_secret if none is set
- issue        [security] Open redirection issue, see PMASA-2016-57
- issue        [security] Unsafe generation of $cfg['blowfish_secret'], see PMASA-2016-58
- issue        [security] phpMyAdmin's phpinfo functionality is removed, see PMASA-2016-59
- issue        [security] AllowRoot and allow/deny rule bypass with specially-crafted username, see PMASA-2016-60
- issue        [security] Username matching weaknesses with allow/deny rules, see PMASA-2016-61
- issue        [security] Full path disclosure (FPD) weaknesses, see PMASA-2016-63
- issue        [security] Multiple cross-site scripting (XSS) weaknesses, see PMASA-2016-64
- issue        [security] Multiple denial-of-service (DOS) vulnerabilities, see PMASA-2016-65
- issue        [security] Possible to bypass white-list protection for URL redirection, see PMASA-2016-66
- issue        [security] Multiple SQL injection vulnerabilities, see PMASA-2016-69
- issue        [security] Incorrect serialized string parsing, see PMASA-2016-70
- issue        [security] CSRF token not stripped from the URL, see PMASA-2016-71

     

     

     

    0 Kudos
    Reply

    You may also like...