phpMyAdmin has recently released three new versions:4.9.8: Fix some security holes5.1.2: Fixed some security bugs, also fixed a lot of bugs, and better compatibility with PHP 8.0 and 8.15.2.0-rc1: A beta version that introduces a lot of new featuresFix security holesPMASA-2022-1: A vulnerability was discovered in phpMyAdmin’s handling of two-factor authentication, allowing users to manipulate their accounts in subsequent authentication sessions to bypass two-factor authentication (4.9 and 5.1 series affected)
PMASA-2022-2: This vulnerability allows an attacker to submit malicious information for XSS or HTML injection attacks in the graphical settings page (only 5.1 series affected, not 4.9)
In some cases, potentially sensitive information (such as database names) is exposed in the URL, which is now supported for encryption (4.9 and 5.1 series affected)
During failed login attempts, error messages display the hostname or IP address of the target database server. This can lead to some information about the network infrastructure being leaked. Blocking using the $cfg[‘Servers’][$i][‘hide_connection_errors’] directive is now supported (4.9 and 5.1 series affected)
New (5.2.0-rc1)
Remove support for Microsoft Internet ExplorerRequires PHP 7.2 or higherRequires openssl PHP extension to be installedImprove handling of system CA bundles and cacert.pem, also rollback to Mozilla CA if neededUse “primary/replica” instead of “master/slave”Add “NOT LIKE %…%” operator to Table searchSupport for Mroonga engineSupport locked accountFixes and improvements to the SQL parser libraryDownload address: https://phpmyadmin.net/downloads/

phpMyAdmin 近日发布了三个新版本:

4.9.8:修复部分安全漏洞
5.1.2:修复部分安全漏洞,同时还修复了大量错误,以及更好地兼容 PHP 8.0 和 8.1
5.2.0-rc1:引入大量新特性的测试版本

修复安全漏洞

PMASA-2022-1:phpMyAdmin 在处理双因素认证的过程中被发现了一个漏洞,导致用户可能会在随后的认证会话中操纵他们的帐户以绕过双因素认证(4.9 和 5.1 系列受影响)
PMASA-2022-2:此漏洞会导致攻击者提交恶意信息,在图形化设置页面中进行 XSS 或 HTML 注入攻击(仅 5.1 系列受影响,不影响 4.9)
某些情况下,潜在的敏感信息(如数据库名称)会暴露在 URL 中,现已支持加密此类信息(4.9 和 5.1 系列受影响)

在尝试登录失败期间,错误消息会显示目标数据库服务器的主机名或 IP 地址。这会导致有关网络基础设施的一些信息被泄露。现已支持使用 $cfg[‘Servers’][$i][‘hide_connection_errors’] 指令来阻止(4.9 和 5.1 系列受影响)

新变化 (5.2.0-rc1)

删除对 Microsoft Internet Explorer 的支持
要求 PHP 7.2 或更高版本
要求安装 openssl PHP 扩展
改进对 system CA bundle 和 cacert.pem 的处理,亦可根据需要回滚到 Mozilla CA
使用 “primary/replica” 替代 “master/slave”
将 “NOT LIKE %…%” 运算符添加到 Table search
支持 Mroonga 引擎
支持锁定帐户
对 SQL 解析器库的修复和改进

下载地址:https://phpmyadmin.net/downloads/

发表评论

后才能评论