When discussing "phpMyAdmin HackTricks patched," you are likely referring to the mitigation of common attack vectors documented in the popular cybersecurity resource HackTricks. While HackTricks lists various exploitation methods—such as Local File Inclusion (LFI), Remote Code Execution (RCE) via SELECT INTO OUTFILE, and Cross-Site Request Forgery (CSRF)—most of these are effectively neutralized in modern, patched versions of phpMyAdmin. Key Patched Vulnerabilities and Mitigations
LFI and RCE (CVE-2018-12613): One of the most famous exploits documented on HackTricks involved a file inclusion flaw that allowed attackers to execute arbitrary code. This was fully patched in version 4.8.2. Modern versions strictly validate the target parameter to prevent directory traversal.
Secure File Privileges: HackTricks highlights the use of SELECT ... INTO OUTFILE to gain a shell. In modern, secure installations, this is "patched" through system-level configuration:
The MySQL secure_file_priv variable is typically set to a specific directory or NULL, preventing phpMyAdmin from writing files to the web root.
PHP's open_basedir restrictions further limit where scripts can read or write.
CSRF Protection: Older versions were susceptible to attackers tricking authenticated admins into performing actions via malicious links. phpMyAdmin now uses robust Token-based CSRF protection (specifically the token parameter in requests) to ensure every action is intentional.
Authentication Bypass: Various bypasses using specific configurations (like AllowNoPassword) are now disabled by default and flagged as security risks during setup, forcing users toward more secure authentication methods like cookie or config with strong secrets. How to Ensure Your Instance is Protected
Version Control: Always run the latest stable version from the official phpMyAdmin site.
Web Server Hardening: Implement IP Whitelisting in your .htaccess or Nginx config so only trusted IPs can access the /phpmyadmin directory.
Renaming the Directory: Change the default /phpmyadmin URL to something obscure to avoid automated "brute-force" scanners and bots that use HackTricks-style reconnaissance.
Force HTTPS: Ensure ForceSSL is enabled in config.inc.php to prevent credential sniffing on the network.
By staying updated, the majority of the "tricks" found on penetration testing wikis become useful only for educational purposes or legacy system audits rather than active threats.
This report analyzes the security posture of phpMyAdmin in relation to the popular penetration testing resource HackTricks. While HackTricks provides a comprehensive roadmap for exploiting outdated versions, modern patches have effectively neutralized these "classic" attack vectors. ⚡ Executive Summary
The most critical vulnerabilities traditionally associated with phpMyAdmin (such as CVE-2018-12613) have been patched for years. Current security risks are primarily driven by misconfigurations, weak credentials, or server-level vulnerabilities (like glibc issues) rather than flaws in the phpMyAdmin code itself. 🛠️ The "HackTricks" Attack Surface (Patched)
HackTricks details several high-impact techniques that are now blocked in all current, stable versions. 1. Authenticated Remote Code Execution (LFI to RCE)
The Attack: Exploiting CVE-2018-12613 via a session-based Local File Inclusion (LFI) to execute code. Patch Status: Fully Patched since version 4.8.2.
Current State: Modern versions use strict whitelist validation for included files, making this bypass impossible. 2. File Read/Write via SQL (INTO OUTFILE)
The Attack: Using the SELECT ... INTO OUTFILE command to write a web shell to the server or LOAD_FILE() to read sensitive configs. Patch Status: Mitigated via database-level configurations.
Modern Defense: The secure_file_priv global variable in MySQL is now set to NULL by default, blocking all file exports unless explicitly enabled by an admin. 3. Cross-Site Scripting (XSS)
Recent Vulnerabilities: New XSS flaws like CVE-2025-24530 (Check tables) and CVE-2025-24529 (Insert functionality) were recently identified. Patch Status: Patched in version 5.2.2 and later. 🛡️ Modern Security Checklist
To move beyond the vulnerabilities listed on HackTricks, implement these defense-in-depth measures: 🔑 Authentication & Access CVE-2025-24530: phpMyAdmin XSS Vulnerability - SentinelOne
.htaccess or server configuration files to restrict access to phpMyAdmin.Example for Apache .htaccess:
Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from ::1
As of this review, here are hacktricks that still work on fully patched phpMyAdmin if you have the right conditions: phpmyadmin hacktricks patched
?route=/ – No rate limiting by default. Attackers can hammer index.php?route=/ with password lists.phpMyAdmin cookie if SameSite isn’t enforced.phpinfo() – Many hosts leave phpinfo.php alongside PMA. An attacker can find the PMA session save path, then attempt a local file inclusion via ?db=../../../../tmp/sess_*.These are not patched because they are configuration issues, not code bugs.
While the official changelogs claim “security fix applied,” the reality is more nuanced. As a penetration tester, I’ve seen:
token= parameter’s case-sensitivity.AllowRoot = true and Blowfish key generation scripts that are often left as ’abc’ by lazy admins. No patch can fix a $cfg['blowfish_secret'] = '';.secure_file_priv = /dev/null (or a specific temp directory) to prevent INTO OUTFILE webshells.SELECT on mysql tables, no FILE or EXECUTE).When a security advisory says "phpMyAdmin patched," it usually means one or more of the following defense layers have been applied.
Apply vendor advisories and specific CVE patches promptly. For exact CVE identifiers, patch notes, and version details, consult the official phpMyAdmin security advisories.
(Invoking related search suggestions for further exploration...)
Searching for "phpMyAdmin HackTricks patched" reveals a shifting landscape where classic exploits documented by the HackTricks pentesting guide
have largely been addressed in current versions. Modern security for phpMyAdmin now focuses on preventing Remote Code Execution (RCE) through file inclusion and securing Two-Factor Authentication (2FA) Key Patched Vulnerabilities (Commonly Cited in HackTricks) Authenticated RCE via Local File Inclusion (CVE-2018-12613) : A failure in the Core::checkPageValidity
function allowed authenticated users to include local files.
: Attackers could execute arbitrary PHP code by including session files containing malicious payloads. : Patched in versions
and newer; users are urged to upgrade to the latest 5.x or 6.x branches. 2FA Bypass (PMASA-2022-1 / CVE-2022-23807)
: A logic error in how phpMyAdmin handled 2FA status allowed a valid user to manipulate their account to bypass 2FA in future sessions. : Resolved in versions SQL Injection in User Accounts (CVE-2020-5504)
: Improper sanitization of the 'username' field on the user accounts page. : Fixed in versions Recent Security Hardening (2025-2026) Vulnerability / Feature Recent Update / Fix glibc/iconv (CVE-2024-2961) Mitigation for potential exploits during data export. URL Query Encryption New directives $cfg['URLQueryEncryption'] to hide sensitive info like DB names in URLs. Feature Added Connection Error Suppression
Option to hide server hostnames/IPs in failed login messages via $cfg['Servers'][$i]['hide_connection_errors'] Feature Added How to Stay Patched official phpMyAdmin news security policy recommend these proactive steps: phpMyAdmin
"phpMyAdmin HackTricks Patched" typically refers to the ongoing cycle of security researchers discovering and documenting exploitation techniques for phpMyAdmin (often cataloged on platforms like HackTricks
) and the subsequent official patches released by developers to mitigate these risks. The Evolution of phpMyAdmin Security and Patching Vulnerability Discovery & Documentation : Platforms like HackTricks
provide detailed guides on how to exploit misconfigurations and vulnerabilities in phpMyAdmin, such as Remote Code Execution (RCE) via Local File Inclusion (LFI). A notable example is CVE-2018-12613
, where an authenticated user could include local files, potentially leading to full server compromise. Official Patches and PMASA
: The phpMyAdmin team addresses these documented threats through phpMyAdmin Security Announcements (PMASA)
. For instance, the aforementioned CVE-2018-12613 was officially patched in version 4.8.2 . More recent vulnerabilities, such as CVE-2024-2961 glibc/iconv issue affecting the export feature), have been patched in version 5.2.2 Common Attack Vectors & Their Mitigations Authentication Bypass : Historical vulnerabilities like CVE-2016-6629
allowed attackers to bypass server restrictions through cookie manipulation. Modern patches for Two-Factor Authentication (2FA) bypasses (CVE-2022-23807) were released in versions SQL Injection : Vulnerabilities like CVE-2020-5504
, which affected the 'username' field, were addressed in updates for both the 4.x and 5.x branches. Security Best Practices
: To move beyond a reactive "patch-and-hack" cycle, administrators are encouraged by experts at Immediately upgrade to the latest stable version. Restrict access using IP whitelisting Disable high-risk features like privileges to prevent INTO OUTFILE Use strong, non-default credentials for all database users. technical walkthrough Apache/Nginx Configuration: Use
HackTricks highlights CVE-2018-12613, an authenticated Remote Code Execution (RCE) vulnerability in phpMyAdmin versions 4.8.0 and 4.8.1, as a significant, yet historically patched, Local File Inclusion (LFI) issue. The flaw, allowing attackers to execute PHP code via
, was officially resolved in version 4.8.2, making current, updated versions secure. For a detailed technical breakdown, visit HackTricks.
Title: phpMyAdmin: Common Hacktricks & How They Are Patched
Introduction phpMyAdmin is a prime target for attackers due to its widespread use and direct access to databases. While "hacktricks" (common enumeration and exploitation techniques) exist, most have been effectively patched in recent versions. Below is a breakdown of classic attack vectors and the corresponding fixes.
1. Default Credentials & Bruteforce
root:root, root:"", or pma:pmapass. Using hydra or medusa against the login panel.$cfg['Servers'][$i]['AllowNoPassword'] = false, and implement login session delays. Tools like fail2ban are now standard recommendations.2. Path Traversal (CVE-xxxx)
?/../../config.inc.php to read sensitive files.index.php now rejects any parameter containing ../ or encoded variants (%2e%2e%2f).3. SQL Injection in Setup Script
/setup endpoint allowed unauthenticated SQL execution via crafted POST data./setup directory is removed in production builds. If present, access is blocked by default IP restrictions and requires explicit $cfg['Server']['auth_type'] = 'config'.4. Remote Code Execution (RCE) via Table Name
SELECT ... INTO OUTFILE to write a webshell.OUTFILE generation now requires FILE privilege (often revoked), and $cfg['SaveDir'] is empty by default. Additionally, table names are escaped before being written to disk.5. XSS & CSRF to Steal Session
db parameter in the URL to execute JavaScript in the victim's browser.token= parameter).6. Old Version Fingerprinting
/doc/html/index.html or /readme to grab version number.$cfg['VersionCheck'] = false.Current Recommendations (for defenders)
.htaccess IP whitelisting.$cfg['Servers'][$i]['hide_db'] to hide sensitive system databases.For Penetration Testers Old "hacktricks" may no longer work. Focus on:
config.inc.php with world-readable permissionsConclusion While phpMyAdmin had a rough security history, the project has systematically patched nearly all classic hacktricks. The remaining risks come from poor deployment hygiene, not the software itself.
Securing a phpMyAdmin installation is critical because it is a high-value target for attackers. HackTricks, a popular cybersecurity resource, outlines several vectors used to compromise unpatched or poorly configured versions. 🛠️ Patching and Hardening Guide
The most effective way to prevent "HackTricks-style" exploits is to keep the software updated and restrict access. 1. Update to the Latest Version
Check your current version at the bottom of the phpMyAdmin main page.
Download the latest stable release from the official phpMyAdmin site.
Why: Recent versions include patches for critical vulnerabilities like Local File Inclusion (LFI) and Cross-Site Request Forgery (CSRF). 2. Restrict Access via IP Limit access so only your IP can reach the login page. Apache (.htaccess):
location /phpmyadmin allow [YOUR_IP_ADDRESS]; deny all; Use code with caution. Copied to clipboard 3. Change the Default URL
Attackers use automated bots to scan for /phpmyadmin or /pma.
Rename the directory to something obscure (e.g., /db_manage_xyz).
Update your web server configuration to point to the new folder name. 4. Enable Two-Factor Authentication (2FA) Modern versions support 2FA. An authenticated phpMyAdmin user (CSRF
Navigate to Settings > Two-factor authentication within the phpMyAdmin panel to set up Google Authenticator or Hardware keys. 5. Disable Dangerous MySQL Privileges
Attackers often try to use SELECT INTO OUTFILE or general_log to write "WebShells" (malicious scripts) to the server.
Ensure the database user does not have the FILE privilege unless absolutely necessary.
Run this SQL command to check: SELECT User, File_priv FROM mysql.user; ⚠️ Common "HackTricks" Attack Vectors
LFI (Local File Inclusion): Exploiting older versions to read sensitive server files like /etc/passwd.
WebShell via Logs: Turning on the general_log and setting the log path to a PHP file in the web directory.
Brute Force: Using default credentials (root/no password) or weak passwords.
Next StepsIf you want to verify your security, I can help you:
Check if your server permissions prevent writing files to the web root.
Draft a configuration file (config.inc.py) that disables the most dangerous features.
Find the exact CVEs (vulnerability IDs) for the version you are currently running. Which of these HackTricks - HackTricks
The search for "phpmyadmin hacktricks patched" refers to the evolution of security testing methodologies documented on platforms like HackTricks versus the official patches released by the phpMyAdmin development team
. In cybersecurity contexts, this often centers on the transition from "active exploitation" to "mitigated vulnerability." The "HackTricks" Factor in phpMyAdmin Security HackTricks
is a renowned wiki that details exploitation paths for various services. For phpMyAdmin, it outlines methods for attackers to move from database access to full system compromise (Remote Code Execution), often leveraging features like: book.hacktricks.xyz SELECT ... INTO OUTFILE : Writing a web shell directly to the server. Log File Poisoning
: Injecting PHP code into log files and executing them via Local File Inclusion (LFI). Misconfigured Variables : Exploiting settings like secure_file_priv AllowArbitraryServer book.hacktricks.xyz Significant "Patched" Vulnerabilities
The term "patched" signifies that the development team has officially addressed a flaw, rendering the HackTricks methodology for that specific version obsolete. Key milestones include: Vulnerability (CVE) Attack Type Status & Patch CVE-2018-12613 LFI to RCE
in version 4.8.2. This was a classic "HackTricks-style" exploit involving a flawed page redirection check. CVE-2025-24530
in version 5.2.2. Found in the "Check tables" feature where crafted table names could trigger malicious scripts. CVE-2024-2961 glibc/iconv
via upgrade to 5.2.2. A vulnerability in the underlying system library that could be leveraged through phpMyAdmin's export features. The "Cat-and-Mouse" Cycle The relationship between platforms like HackTricks and official patches creates a security lifecycle: PMASA-2025-1 - phpMyAdmin
Creating a secure and patched version of phpMyAdmin, as described in a walkthrough like HackTricks, involves several steps and best practices. HackTricks is a great resource for learning about penetration testing and security, offering insights into vulnerabilities and how to exploit them, as well as how to defend against such exploits.
The information below aims to guide you through securing phpMyAdmin and patching common vulnerabilities, reflecting the kind of content you might find on HackTricks, but focused on mitigation and security enhancement.
Older versions (pre-3.4.4) had a logic flaw: if the $cfg['Servers'][$i]['AllowNoPassword'] was set to true (default in some older XAMPP stacks), an attacker could simply leave the password field blank.
Patch Status: Hardened. Modern config.inc.php sets AllowNoPassword = false by default. Moreover, modern phpMyAdmin enforces the MySQL server’s authentication plugin (e.g., caching_sha2_password), making empty passwords impossible unless explicitly overridden.