CVE-2015-7873
Description
The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1 allows remote attackers to spoof content via the url parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
phpMyAdmin url.php redirection allows content spoofing via the url parameter in versions 4.4.x before 4.4.15.1 and 4.5.x before 4.5.1.
Vulnerability
The redirection feature in url.php of phpMyAdmin does not properly validate the url parameter, allowing an attacker to craft a link that redirects users to an arbitrary external site. This vulnerability affects phpMyAdmin versions 4.4.x prior to 4.4.15.1 and 4.5.x prior to 4.5.1 [1][3]. The spoofed content is escaped, so no HTML injection is possible [3].
Exploitation
An attacker can exploit this by sending a victim a specially crafted URL that includes a malicious url parameter pointing to an attacker-controlled site. No authentication or special network position is required; the victim only needs to click the link while logged into phpMyAdmin. The redirection mechanism in url.php will then redirect the user to the external site, displaying its content as if it were part of phpMyAdmin [2][3].
Impact
Successful exploitation allows an attacker to perform a content spoofing attack, presenting arbitrary external content to the victim within the context of phpMyAdmin. This can be used for phishing or to mislead users. The advisory rates this as non-critical because the spoofed content is escaped and no HTML injection is possible [3].
Mitigation
Users should upgrade to phpMyAdmin 4.4.15.1 or newer, or 4.5.1 or newer. Patches are available in commits 2b31866 (4.4 branch) and cd09765 (4.5 branch) [2][3]. No workaround is documented; upgrading is the recommended solution.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.4.0, < 4.4.15.1 | 4.4.15.1 |
phpmyadmin/phpmyadminPackagist | >= 4.5.0, < 4.5.1 | 4.5.1 |
Affected products
26cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*+ 23 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.13.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.14.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.15:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:*:*:*:*:*:*:*
- (no CPE)range: <4.4.15.1, <4.5.1
- ghsa-coords2 versions
>= 4.4.0, < 4.4.15.1+ 1 more
- (no CPE)range: >= 4.4.0, < 4.4.15.1
- (no CPE)range: < 4.6.5.2-1.1
Patches
2cd097656758fPort content spoofing fix
2 files changed · +6 −1
ChangeLog+4 −0 modified@@ -142,6 +142,10 @@ phpMyAdmin - ChangeLog - issue #11448 Clarify doc about the MemoryLimit directive - issue #11489 Cannot copy a database under certain conditions +4.4.15.1 (2015-10-23) +- issue #11464 phpMyAdmin suggests upgrading to newer version not usable on that system +- issue [security] Content spoofing on url.php + 4.4.15.0 (2015-09-20) - issue #11411 Undefined "replace" function on numeric scalar - issue #11421 Stored-proc / routine - broken parameter parsing
url.php+2 −1 modified@@ -32,6 +32,7 @@ } </script>"; // Display redirecting msg on screen. - printf(__('Taking you to %s.'), htmlspecialchars($_REQUEST['url'])); + // Do not display the value of $_REQUEST['url'] to avoid showing injected content + echo __('Taking you to the target site.'); } die();
2b31866fe0b3[security] Content spoofing on url.php
1 file changed · +2 −1
url.php+2 −1 modified@@ -32,7 +32,8 @@ } </script>"; // Display redirecting msg on screen. - printf(__('Taking you to %s.'), htmlspecialchars($_GET['url'])); + // Do not display the value of $_GET['url'] to avoid showing injected content + echo __('Taking you to the target site.'); } die(); ?>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- www.phpmyadmin.net/security/PMASA-2015-5/nvdPatchVendor Advisory
- github.com/advisories/GHSA-5pmg-qh2c-7j24ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-7873ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2015-November/171311.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-November/171326.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-October/169987.htmlnvdWEB
- www.debian.org/security/2015/dsa-3382nvdWEB
- github.com/phpmyadmin/phpmyadmin/commit/2b31866fe0b30b867aaf5b5fedb11adb354e037fghsaWEB
- github.com/phpmyadmin/phpmyadmin/commit/cd097656758f981f80fb9029c7d6b4294582b706nvdWEB
- web.archive.org/web/20161014120907/http://www.securitytracker.com/id/1034013ghsaWEB
- web.archive.org/web/20200228052850/http://www.securityfocus.com/bid/77299ghsaWEB
- www.phpmyadmin.net/security/PMASA-2015-5ghsaWEB
- www.securityfocus.com/bid/77299nvd
- www.securitytracker.com/id/1034013nvd
News mentions
0No linked articles in our index yet.