CVE-2011-1941
Description
Open redirect vulnerability in the redirector feature in phpMyAdmin 3.4.x before 3.4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 3.4.0, < 3.4.1 | 3.4.1 |
Affected products
3cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:3.4.0.0:*:*:*:*:*:*:*
- (no CPE)range: <3.4.1
Patches
Vulnerability mechanics
Root cause
"Improper input validation in the URL redirector allows for arbitrary redirection to external sites."
Attack vector
A remote attacker can trigger this vulnerability by providing a crafted URL to the redirector feature, which then redirects the user to an arbitrary website. This can be used to conduct phishing attacks by leveraging the trusted domain of the phpMyAdmin installation [CWE-20]. The advisory does not specify the exact vectors used to supply the malicious URL.
Affected code
The vulnerability exists in `url.php` and the `PMA_linkURL` function within `libraries/core.lib.php`. These components fail to properly validate or restrict the destination URL provided to the redirector feature [patch_id=21538, patch_id=21539].
What the fix does
The patches implement stricter validation for the redirector by requiring a valid token via `PMA_isValid` in `url.php` [patch_id=21539]. Additionally, the `PMA_linkURL` function was modified to prevent the use of the redirector during setup, as it could not be adequately protected [patch_id=21538]. These changes ensure that only authorized requests are processed, mitigating the open redirect risk.
Preconditions
- networkThe attacker must be able to reach the phpMyAdmin redirector endpoint.
Generated on May 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.phpmyadmin.net/home_page/security/PMASA-2011-4.phpnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-v6fw-xf2c-8q43ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-1941ghsaADVISORY
- phpmyadmin.git.sourceforge.net/git/gitweb.cgighsaWEB
- phpmyadmin.git.sourceforge.net/git/gitweb.cgighsaWEB
- github.com/phpmyadmin/composer/commit/b7a8179eb6bf0f1643970ac57a70b5b513a1cd4fghsaWEB
- github.com/phpmyadmin/composer/commit/ecfc8ba4f7b4ea612c58ab5726054ed0f28e200dghsaWEB
- phpmyadmin.git.sourceforge.net/git/gitweb.cginvd
- phpmyadmin.git.sourceforge.net/git/gitweb.cginvd
News mentions
0No linked articles in our index yet.