Medium severity6.8NVD Advisory· Published Mar 1, 2016· Updated May 6, 2026
CVE-2016-2562
CVE-2016-2562
Description
The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpmyadmin/phpmyadminPackagist | >= 4.5, < 4.5.5.1 | 4.5.5.1 |
Affected products
13cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.5.5:*:*:*:*:*:*:*
Patches
1e42b7e3aedd2Bring back SSL certificate validation
2 files changed · +11 −5
libraries/Config.class.php+2 −2 modified@@ -774,8 +774,8 @@ public function checkHTTP($link, $get_body = false) PMA_Util::configureCurl($handle); curl_setopt($handle, CURLOPT_FOLLOWLOCATION, 0); curl_setopt($handle, CURLOPT_RETURNTRANSFER, 1); - curl_setopt($handle, CURLOPT_SSL_VERIFYHOST, 0); - curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, 0); + curl_setopt($handle, CURLOPT_SSL_VERIFYHOST, '2'); + curl_setopt($handle, CURLOPT_SSL_VERIFYPEER, '1'); curl_setopt($handle, CURLOPT_CONNECTTIMEOUT, 5); curl_setopt($handle, CURLOPT_TIMEOUT, 5); curl_setopt($handle, CURLOPT_IPRESOLVE, CURL_IPRESOLVE_V4);
test/classes/PMA_Config_test.php+9 −3 modified@@ -53,6 +53,7 @@ protected function setUp() $GLOBALS['server'] = 0; $_SESSION['is_git_revision'] = true; $GLOBALS['PMA_Config'] = new PMA_Config(CONFIG_FILE); + $GLOBALS['cfg']['ProxyUrl'] = ''; //for testing file permissions $this->permTestObj = new PMA_Config("./config.sample.inc.php"); @@ -1038,14 +1039,19 @@ public function testCheckHTTP() $this->markTestSkipped('Missing curl extension!'); } $this->assertTrue( - $this->object->checkHTTP("http://www.phpmyadmin.net/test/data") + $this->object->checkHTTP("https://www.phpmyadmin.net/test/data") ); $this->assertContains( "TEST DATA", - $this->object->checkHTTP("http://www.phpmyadmin.net/test/data", true) + $this->object->checkHTTP("https://www.phpmyadmin.net/test/data", true) ); $this->assertFalse( - $this->object->checkHTTP("http://www.phpmyadmin.net/test/nothing") + $this->object->checkHTTP("https://www.phpmyadmin.net/test/nothing") + ); + // Use rate limit API as it's not subject to rate limiting + $this->assertContains( + '"resources"', + $this->object->checkHTTP("https://api.github.com/rate_limit", true) ); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/phpmyadmin/phpmyadmin/commit/e42b7e3aedd29dd0f7a48575f20bfc5aca0ff976nvdPatchWEB
- www.phpmyadmin.net/security/PMASA-2016-13/nvdPatchVendor Advisory
- github.com/advisories/GHSA-w8qg-j9fp-hrjfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-2562ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2016-March/178562.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-March/178869.htmlnvdWEB
- www.phpmyadmin.net/security/PMASA-2016-13ghsaWEB
News mentions
0No linked articles in our index yet.