Skip navigation

Vulnerability in phpMyAdmin Requires Immediate Patch

A critical CSRF Vulnerability in phpMyAdmin Database administration tool has been found and a patch is available for all computers and servers running the MySQL database.

Does this include you?

If you are using WordPress, yes it does.

Contact your web host to ensure phpMyAdmin is updated immediately.

If you are self-hosted and manage your own server, update phpMyAdmin immediately.

If you are using WordPress or phpMyAdmin and MySQL on your computer through WAMP, MAMP, XAMPP, Instant WordPress, DesktopServer, BitNami or any of the other ways you can install WordPress on your computer or a stick (USB), update phpMyAdmin by using the patch or check the install technique’s site for updates.

If you are using WordPress.com, don’t worry. This does not apply to you or your site.

The flaw affects phpMyAdmin versions 4.7.x prior to 4.7.7. Hopefully, your server/web host company has been updating phpMyAdmin all along and you don’t need to worry, but even though this is a medium security vulnerability, it is your responsibility as a site owner and administrator to ensure that your site is safe. Don’t just rely on GoDaddy, Dreamhost, or whatever hosting service you use to take care of these things for you. Sometimes they are on top of these before an announcement is made public. Other times, they are clueless and require customer intervention and nagging.

Now, what is phpMyAdmin?

MySQL is an open source database program, and phpMyAdmin is the free, open source tool that makes the administration and use of MySQL easier to manage. It is not a database. It is a database manager. You can easily search and replace data in the database, make changes, and do other maintenance and utility tasks in the database.

Every installation of WordPress requires PHP and MySQL along with a variety of other web-based programming packages and software. Most installations by web hosts and portable versions of WordPress add phpMyAdmin to manage the WordPress site. It is not required for WordPress to work, but don’t assume that it is or isn’t installed. CHECK.

To find out if phpMyAdmin is installed on your site:

  1. Check with your web host and ask. Don’t expect their customer service staff to know for sure. Make them check your account and verify whether or not it is installed, and if they’ve updated. Push them for a specific answer.
  2. Check the site admin interface (cPanel, Plesk, etc.) to see if it is installed.
  3. Log into your site through secure FTP into the root (if you have access) and look for the installation at /usr/share/phpmyadmin or localhost/phpmyadmin. Unfortunately, it could be anywhere depending upon the installation as these are virtual folders, not folders found on your computer, so it must be assigned to a location.
  4. If running a portable installation of MySQL and/or WordPress, follow the instructions for that tool and download and install all patches to ensure phpMyAdmin is updated to the latest secure version.


24 Comments

  1. Posted January 6, 2018 at 4:55 pm | Permalink

    Thanks for this. However, like so many creative users on WordPress who use it to post about what we do, I have no clue what you are talking about. I guess I’ll just live with whatever happens. Try again in some kind of English, that non-coders might understand.

    • VinnieJT
      Posted January 7, 2018 at 11:18 am | Permalink

      This does not apply to WordPress.com websites Ray – only the self-hosted version. Nothing for you to see here 🙂

    • Posted January 7, 2018 at 6:22 pm | Permalink

      Lol! I thought I’d mentioned that. I’ll make sure that is clear. Thanks.

    • Posted January 13, 2018 at 2:39 am | Permalink

      I see. I guess I’ll build the more important of the two sits – the commercial one – somewhere else. You know “website in a box.” 😂

    • Posted January 7, 2018 at 6:28 pm | Permalink

      As mentioned, if you are on WordPress.com, you don’t have to worry.

      As simply, explained in the article, phpMyAdmin helps you access the database. It is not required to run WordPress. When you publish on WordPress, everything is added to a database. Each word, title, author, category, tag, you are literally filling out a giant form into a database. The security issue is with a tool that can access that database. I hope that helps.

    • Posted January 13, 2018 at 2:36 am | Permalink

      I doesn’t, but that’s fine. It’s overly complicated issues like those that keep me from moving my commercial website to WordPress. I’d like to put everything in one place, but I don’t dare do it. Oh well.

    • Posted January 13, 2018 at 6:25 am | Permalink

      This issue has nothing to do with WordPress. It is a security issue with a popular but optional administrative tool for the database used by many if not most contention management systems. Again, contact your hosting company to ensure they have updated everything. Nothing complicated about that. Part of the process. Good luck with your project.

    • Posted January 13, 2018 at 10:58 am | Permalink

      If WordPress is the face, than it has everything to do with WordPress. Kicking the can doing the road doesn’t work. And, there you go again. “Contention Management System.” WTH is that?

      Speak English to those of us who really don’t want to sit inside all day at a screen.

      Given your comments, my project’s scope has changed somewhat… maybe you can be helpful with this. How do I move everyone who has followed my here to my new Website and blog?

    • Posted January 13, 2018 at 12:35 pm | Permalink

      Thank you for your comments and determination to understand how all this works. Luckily, we have access today to services like Google to look up common terms unfamiliar to you in this industry. A content management system or CMS is anything that allows you to publish on the web. Facebook is a form of CMS.

      The program phpMyAdmin is NOT required for WordPress.

      This is not the post to answer your question, however depending upon how you move your site, followers and subscribers are automatically included from WordPress installation to another WordPress installation. If you are switching to another CMS, check with them, about what data is imported.

      I do hope you get help with this as I’m sure your website is critical to you and your success. Messing around with it like you suggest may cause disruptions to your business and cost you more to fix.

    • Posted January 14, 2018 at 8:41 pm | Permalink

      I’m not moving WordPress to WordPress. You’re snarky and rude comment about Google says anything that anybody needs to know. About you. For that you owe me an apology.

      Besides, CMS, depending on industry means quite a few different things.

      As far as websites go, most social networks — especially Instagram — have eliminated the need for websites, unless you sell stuff directly. But, you know that.

    • Posted January 14, 2018 at 8:45 pm | Permalink

      Im sorry you took my comment as snarky. It is often a challenge to type without emotional indicationers as that was not my intension. We are very privileged to live in a world where answers to all our questions are readily available, including my ability to answer your questions without charge.

      Good luck with your project.

    • Posted January 15, 2018 at 10:21 am | Permalink

      Thank you. As far as without charge goes, you work for WordPress. I pay WordPress for the next level of service. You can do no less than answer my questions “for free.”

      Please try to understand where I’m coming from, and, where I guess many of your users are coming from too.

      While Steve Jobs was not my big hero, he understood one thing very well. Most of us don’t want to be coding experts or learn how to do work arounds and so on and on. We just want to do whatever it is we do without a lot of technical issues. That’s it.

      For me, I want to show my new work to people. I want my clients to be able to see what I’m doing. I don’t sell online. I work by commission. And, luckily, for pretty good money. Note the use of the word luckily. 🙂

      I don’t want to write code. I don’t want to learn, what for me, is a whole other kind of work. For sure, WordPress is a solid platform. I’ve looked at your VIP list. And, it doesn’t surprise me. But, many of those companies have their own IT staffs. Some focused on just WordPress code, which is different than many other systems.

      I’m just one guy, except when I need assignment support. Even if I were young enough (I’m an old guy) to want to learn the coding it takes to make WordPress really fly, it would take so much time away from my work that it would probably be counter productive.

      I agree, moving to what I call a website in a box, isn’t a great option. But, I can do that. I don’t have to ask 6,897,905 questions just to change the size of a photograph, or make a different headline…

      I hope you understand.

    • Posted January 15, 2018 at 11:04 am | Permalink

      I do not work for WordPress or Automattic, the company that owns and manages WordPress.com, a web hosting company. Just because you pay for WordPress.com hosting and premium services, you are NOT paying for the 15 years of volunteer time, energy, and development that went into the Open Source web publishing platform of WordPress, that WordPress.com incorporates into its hosting services.

      I understand it is confusing, but WordPress.com is a business separate from the non-profit WordPress.org and WordPress Foundation that supports the community volunteers and their efforts. WordPress is free. You are paying for features that overlay WordPress, and for support and hosting services, not WordPress directly.

      I’ve been a volunteer without compensation since 2003 for the WordPress Community. I do not have to answer your questions. I’ve been patient and gracious in responding to you, and this I do without requirement nor compensation. You have been rude, inconsiderate, and obstinate in response to my efforts to help you understand how this all works.

      We all have businesses. We all have to learn things that we don’t want to learn in order to do those businesses and live our passions and generate the income that makes life comfortable, and allows us to volunteer for other projects that feed our passions, as does my volunteer work within the WordPress Community. What you call website-in-a-box takes great skill, expertise, programming, design, and development to “make it easy” for you to publish. They all deserve your respect as well.

      Again, good luck with your project, whatever you do. I hope you learned a little about what it takes to make WordPress and other open source projects. And I hope you show gratitude for the thousands of volunteers who gave freely of their expertise for the past 15 years to make WordPress easy, and free, to use.

  2. Loretta Oliver
    Posted January 7, 2018 at 11:21 am | Permalink

    Thank you for this. I’m fortunate that my hosting provider is really good about keeping things up to date and they’re super responsive if I ask about security patches or broken bits.

  3. Posted January 7, 2018 at 1:45 pm | Permalink

    Thanks for the information, I may not be cautious about security but I hope my host will keep up.

  4. David Farr
    Posted January 8, 2018 at 11:02 am | Permalink

    I run my own VPS and just updated to the latest version of cPanel but my version of phpmyadmin is 4.7.3. Is there an “easy way” to update without needing to get my programmer to SSH in and run in through shell?

    • Posted January 8, 2018 at 11:17 am | Permalink

      Read through the instructions on updating phpMyAdmin. Im sure you can handle it. Let us know how it goes.

  5. Posted January 8, 2018 at 1:24 pm | Permalink

    Thanks for the heads up. Thankfully our manage hosting do not provide phpmyadmin but a custom db management panel.

  6. Posted January 9, 2018 at 10:37 pm | Permalink

    Many thanks for the info. I’ve checked my webhost and fortunately they update regularly. On version 5.6.32 . many thanks

  7. Daniel
    Posted January 11, 2018 at 3:01 am | Permalink

    From the Cpanel Forums…

    The instance of phpMyAdmin we provide isn’t vulnerable to CSRF/XSRF attacks like the one in this vulnerability because we use security tokens:

    Security Tokens

    That said, internal case CPANEL-17713 is open to update phpMyAdmin to version 4.7.7. I’ll monitor the case and update this thread with more information on the status of it’s implementation as it becomes available.

    https://forums.cpanel.net/threads/pmasa-2017-9-xsrf-csrf-vulnerability-in-phpmyadmin.618971/

    hope that helps anyone else running WHM

  8. Posted January 11, 2018 at 4:54 am | Permalink

    Thankyou!


2 Trackbacks/Pingbacks

  1. […] Vulnerability in phpMyAdmin Requires Immediate Patch (Lorelle VanFossen) […]

  2. […] https://lorelle.wordpress.com/2018/01/06/vulnerability-in-phpmyadmin-requires-immediate-patch/ […]

Post a Comment