Arbitrary file read vulnerability
AllowArbitraryServer configuration set
true, with the use of a rogue MySQL server,
an attacker can read any file on the server that the web
server's user can access.
phpMyadmin attempts to block the use of
INFILE, but due to a bug in PHP,
this check is not honored. Additionally, when using the
'mysql' extension, mysql.allow_local_infile
is enabled by default. Both of these conditions allow the
attack to occur.
We consider this vulnerability to be critical.
This attack can be mitigated by setting the
`AllowArbitraryServer` configuration directive to false
(which is the default value).
phpMyAdmin versions from at least 4.0 through 4.8.4 are
SQL injection in Designer feature
A vulnerability was reported where a specially crafted
username can be used to trigger an SQL injection attack
through the designer feature.
We consider this vulnerability to be serious.
phpMyAdmin versions from 4.5.0 through 4.8.4 are affected