"phpMyAdmin HackTricks Patched" typically refers to the ongoing cycle of security researchers discovering and documenting exploitation techniques for phpMyAdmin (often cataloged on platforms like HackTricks
The only truly secure phpMyAdmin is the one that is never exposed to the internet. Everything else is just a patch away from being the next headline.
Regularly review the logs for any suspicious activity and perform security audits.
The Patch:
The checkFileAccess() function now resolves all .. and symlinks.
1.2 Local File Inclusion via goto Parameter (CVE-2018-12613)
4. The “CVE-2022-23808” – SQL Injection in the Linter (Patched)
- SQLi in import parser (patched): A parsing bug allowed crafted SQL files to inject additional queries outside expected statements. Patch: stricter parsing and parameterized internal handling.
- CSRF on specific export/import endpoints (patched): Hardening of CSRF token checks and enforcement on all side-effect endpoints.
- Stored XSS in table/comment rendering (patched): Output encoding added for object names and user-supplied data shown in UI.
- Authentication/session fixes: Session validation tightened; session cookie flags (HttpOnly, Secure) enforced when possible.
- File upload path traversal (patched): Normalization and whitelist checks for file paths; disallowing traversal sequences.
- Deserialization hardening: Removed unsafe unserialize usages and added input validation; use of JSON where appropriate. Note: exact CVE numbers and version fixes depend on the phpMyAdmin advisory; check vendor advisories for specifics.