Hi Oleg,

You haven't specified anywhere under what licence have you put phpminiadmin. Can you please mention a licence on readme?

There are multiple instances of XSS within PHPMiniAdmin. Some of them are stored, which implies that it will persist for all users and social engineering is not required.

The easiest way to patch this is simply use htmlentities every time you echo something.

At someone hosting the function set_time_limit() is disabled and we see this error:

Warning: set_time_limit() has been disabled for security reasons in /var/www/***/phpminiadmin.php on line 952

May be write all (line 822, 952):

@set_time_limit(600);

This not correct but ignore warning message if it not disabled manually.

I cannot load phpminiadmin.php, I see an empty white page, however, I am able to load another php file (phpinfo.php, containing the phpinfo() function), what else do I need to get it to work?

3 years no updates, no fixes for new php versions

unsupported pdo_mysql?

Running under php 7.4 generates this warning. Apparently it should simply be removed and not replaced with anything.

Is there a way to prevent this script from dumping all database connection strings into a cookie/session?

Feature

The current interface does not indicate the number of lines of a "select" result.
It could be useful to retrieve this number (like mysql_num_rows) without doing new request or counting pages / going to last page.

Is there some way to configure connecting to the server via SSL using ca-certs?

Maybe move all the css styles to external skin.css file?

A mini tutorial on how to setup would be appreciated. Can you include a set up guide in Readme.md

Currently I am unable to get past the security page. I receive a blank page at http://localhost/phpminiadmin.php, I do get the page which asks for $ACCESS_PWD though. But I am unable to go to the main page despite giving correct password.

Hi,

I normally use latest Debian for new server environments on which I normally install Drupal applications.
I remember that on some new server environments, I had to install mbstring and mcrypt to use PHPMyAdmin.

I read phpminiadmin's project page but didn't find a statement if any packages are needed (I assume none are needed).
I would personally love to read a sentence like "no php extension-packages are needed on Linux distributions/Debian".

Ben,

I didn't find a way to download the latest pmad release in a version agnostic way.

In PHPmyadmin for example, one can download it in a version agnostic way like this:

wget -P /var/www/html https://www.phpmyadmin.net/downloads/phpMyAdmin-latest-all-languages.zip

What I desire is to download pmad in a similar way with wget, yet in the site I only found a sourceforge dependent way (seemingly one has to go into sourceforge and download from a dynamically created link).

If mysql host is not default and "remember me" checkbox on login form is not set, then after successfull login i can not do anything - i'm getting logged out after clicking on any button.

Posting here at the request of developer. I am no developer myself and as such I'm unsure what causes the actual issue code-wise or how to fix it.

Found a DOM XSS vulnerability in the app, specifically in the database login screen. By serving a victim a malicious URL, an attacker can inject a script into the "onclick" attribute of the Cancel button, which will trigger when clicked. If the user is not already logged in then using the ?showcfg=1 paramater is not necessary as it is essentially the same page. The examples provided are for ease of access on the live demo, but they work on the latest version of the app aswell.

With this vulnerability it has been confirmed possible to also exfiltrate form-data from the page using injected Javascript.

Proof-of-concept payloads can be provided on request if necessary, as well as screenshots and similar.

Hello. Are there any plans on moving to MySQLi? It appears the MySQL extension will be removed in PHP 7, so it would be good to switch. Or, use PDO (which could make it simple to support other database types in the future). I wouldn't mind working on this if you don't have any current plans.

I'm using phpMiniAdmin 1.8.120514. I think a logoff link is missing in the top bar.
Can you add a link like the one you have on phpminiadmin.sourceforge.net/phpminiadmin.php :
http://phpminiadmin.sourceforge.net/phpminiadmin.php?XSS=E1b09B3c908cb&logoff=1
?

Thanks

Screenshot attached.

First, I'm very impressed the program and using very well, So thank you your contributes.

In my contry I don't use English and when I export my table, and open the csv file, the charter's are broken (not english). So, I suggest adjust code line 792

if ($DB['chset']=='utf8') ex_end($BOM);

to->

if ($DB['chset']=='utf8') ex_w($BOM); ex_end();

Function ex_end() is here,

function ex_end(){
global $ex_isgz,$ex_gz,$ex_tmpf;
if ($ex_isgz){
gzclose($ex_gz);
readfile($ex_tmpf);
}
}

There is no parameter in definition, So I insert the ex_w() function.

Thank you

Hi osalabs,
could you please have a look at this:
http://www.websecuritywatch.com/multiple-xss-vulnerabilities-in-phpminiadmin/

The xss examples posted there really work.

PHPMiniAdmin is vulnerable to a Microsoft Excel specific attack named CSV Excel Macro Injection. An attacker can add in formulas like =1+1 into the DB and when exported into CSV, these formulas can be executed. This can lead to the take over of a user's PC, assuming they enable macros within Microsoft Excel.

To patch this bug, I would suggest when creating the CSV file, simply add a single quote (') before any field that contains an =, +, - or @ sign at the start of the field.

Hope this helps keep your software more secure!

It would be handy I think if an option were available to dump the .sql file right onto the server rather than downloading it to the desktop machine.