Hello,
The phpMyAdmin team announces the release of both phpMyAdmin versions 4.9.6 and 5.0.3.
Both versions contain several important security fixes:
- PMASA-2020-5 XSS vulnerability with transformation feature
- PMASA-2020-6 SQL injection vulnerability with the search feature
In addition, 5.0.3 contains many bugfixes. Some of the highlights include:
- Fix an error message about htmlspecialchars() when attempting to export XML
- Support double tapping to edit on mobile
- Fix the error message “Use of undefined constant MYSQLI_TYPE_JSON” when using mysqlnd
- Fix fatal JS error on index creation after using Enter key to submit the form
- Fix “axis-order” to swap latitude and longitude on MySQL 8.1 or newer
- Fix an error when overwriting an existing query bookmark
- Fix some warnings that appear with PHP 8
- Fix alter user privileges query when editing an account with MySQL 8.0.11 and newer
- Fix issues regarding TIMESTAMP columns with default CURRENT_TIMESTAMP in MySQL 8.0.13 and newer
- Fix a message that “Warning: error_reporting() has been disabled for security reasons” on php 7.x
There are many other bugs fixes, please see the ChangeLog file included with this release for full details.
Known shortcomings:
Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest upgrading your PHP installation to take advantage of the upgraded authentication methods.
Downloads are available now at https://phpmyadmin.net/downloads/