Bringing MySQL administration to the web

Download 5.2.3
Demo Donate

PMASA-2014-17

Announcement-ID: PMASA-2014-17

Date: 2014-12-03

Summary

DoS vulnerability with long passwords.

Description

With very long passwords it was possible to initiate a denial of service attack on phpMyAdmin.

Severity

We consider this vulnerability to be serious.

Mitigation factor

This vulnerability can be mitigated by configuring throttling in the webserver.

Affected Versions

Versions 4.0.x (prior to 4.0.10.7), 4.1.x (prior to 4.1.14.8) and 4.2.x (prior to 4.2.13.1) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.7 or newer, or 4.1.14.8 or newer, or 4.2.13.1 or newer, or apply the patch listed below.

References

Thanks to Javier Nieto and Andres Rojas for reporting this vulnerability.

Assigned CVE IDs: CVE-2014-9218

CWE IDs: CWE-661 CWE-400

Patches

The following commits have been made to fix this issue:

The following commits have been made on the 4.0 branch to fix this issue:

The following commits have been made on the 4.1 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.

Announcements