High severity7.5NVD Advisory· Published Jul 17, 2017· Updated May 13, 2026

CVE-2017-1000016

Description

A weakness was discovered where an attacker can inject arbitrary values in to the browser cookies. This is a re-issue of an incomplete fix from PMASA-2016-18.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
phpmyadmin/phpmyadminPackagist	>= 4.6, < 4.6.6	4.6.6

Affected products

PhpMyAdmin/phpMyAdmin8 versions
cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpmyadmin:phpmyadmin:4.6.5.2:*:*:*:*:*:*:*

Patches

3b6ed1f

Improve PHP path cleanup

https://github.com/phpmyadmin/phpmyadminMichal ČihařDec 8, 2016via ghsa

commit

2 files changed · +46 −1

libraries/core.lib.php+22 −1 modified

@@ -946,6 +946,10 @@ function PMA_cleanupPathInfo()
     }
     $_PATH_INFO = PMA_getenv('PATH_INFO');
     if (! empty($_PATH_INFO) && ! empty($PMA_PHP_SELF)) {
+        $question_pos = mb_strpos($PMA_PHP_SELF, '?');
+        if ($question_pos != false) {
+            $PMA_PHP_SELF = mb_substr($PMA_PHP_SELF, 0, $question_pos);
+        }
         $path_info_pos = mb_strrpos($PMA_PHP_SELF, $_PATH_INFO);
         if ($path_info_pos !== false) {
             $path_info_part = mb_substr($PMA_PHP_SELF, $path_info_pos, mb_strlen($_PATH_INFO));
@@ -954,7 +958,24 @@ function PMA_cleanupPathInfo()
             }
         }
     }
-    $PMA_PHP_SELF = htmlspecialchars($PMA_PHP_SELF);
+
+    $path = [];
+    foreach(explode('/', $PMA_PHP_SELF) as $part) {
+        // ignore parts that have no value
+        if (empty($part) || $part === '.') continue;
+
+        if ($part !== '..') {
+            // cool, we found a new part
+            array_push($path, $part);
+        } else if (count($path) > 0) {
+            // going back up? sure
+            array_pop($path);
+        }
+        // Here we intentionall ignore case where we go too up
+        // as there is nothing sane to do
+    }
+
+    $PMA_PHP_SELF = htmlspecialchars('/' . join('/', $path));
 }
 
 /**

test/libraries/core/PMA_cleanupPathInfo_test.php+24 −0 modified

@@ -66,6 +66,30 @@ public function pathsProvider()
                 '/; cookieinj=value/',
                 '/phpmyadmin/index.php'
             ),
+            array(
+                '',
+                '//example.com/../phpmyadmin/index.php',
+                '',
+                '/phpmyadmin/index.php'
+            ),
+            array(
+                '',
+                '//example.com/../../.././phpmyadmin/index.php',
+                '',
+                '/phpmyadmin/index.php'
+            ),
+            array(
+                '',
+                '/page.php/malicouspathinfo?malicouspathinfo',
+                'malicouspathinfo',
+                '/page.php'
+            ),
+            array(
+                '/phpmyadmin/./index.php',
+                '/phpmyadmin/./index.php',
+                '',
+                '/phpmyadmin/index.php'
+            ),
             array(
                 '/phpmyadmin/index.php',
                 '/phpmyadmin/index.php',

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-j2cq-h6v2-f875ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2017-1000016ghsaADVISORY
www.phpmyadmin.net/security/PMASA-2017-5nvdThird Party AdvisoryWEB
github.com/phpmyadmin/phpmyadmin/commit/3b6ed1fghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000