As discussed on https://github.com/phpmyadmin/phpmyadmin/wiki/2016-01_Meeting#suggesting-a-donation-amount we would display "We hope you enjoy phpMyAdmin. Please consider donating to support our development (suggested amount: 10 USD)." after a download (either on the download button or links).

Avoid leaking information to attackers by removing response headers that say what software is running on your web server.

Many web servers give the name and versions of software that were used to respond to a request within the response headers. For example, a server might respond with the header Server: Apache/2.2.20 (Win32) PHP/5.3.10 when a page is requested. This can give hints to attackers on how to search for vulnerabilities. Response headers that can contain software version information include the Server, Powered-by, ASPNET and ASPNETMVC headers. You should configure your server to suppress headers like these. Note that a determined attacker can uncover details about your server configuration in other ways and can find exploits without knowing this information anyway. However, making life a little harder for an attacker by keeping this information hidden doesn't usually require a lot of effort. Learn more.

Visit:
https://www.phpmyadmin.net/try/
See 'empty space' under 'Server monitor' screen-shot:

Browser: FireFox, OS: Ubuntu

Since change in phpmyadmin/phpmyadmin#12836, we're providing different download sets and download links introduced in 389ea3d should be adjusted.

See also phpmyadmin/phpmyadmin#11469 (comment)

The hash variable which come from URL passed to show_theme function which use $$ function (parameter used as SELECTOR)

As report by Emanuel Bronshtein,

I suggest to implement the following for *.phpmyadmin.net websites:
* 'Public-Key-Pins-Report-Only' header, more information:
https://developers.google.com/web/updates/2015/09/HPKP-reporting-with-chrome-46?hl=en
https://developer.mozilla.org/en/docs/Web/Security/Public_Key_Pinning
* report-uri directive in CSP headers, more information:
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/Using_CSP_violation_reports

one free service that can be used for that purpose:
https://report-uri.io/

while using 'Public Key Pinning (HPKP)' is better, it's vulnerable to 'HPKP Suicide/Footgun' problem (very bad to lose control over keys), more information:
https://scotthelme.co.uk/using-security-features-to-do-bad-things/
https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead
Thus I suggest to implement only the reporting feature (Public-Key-Pins-Report-Only header)
more information regarding HPKP & Lets Encrypt usage:
https://scotthelme.co.uk/setting-up-le/
https://scotthelme.co.uk/lets-encrypt-smart-renew/

Visit:
https://mail.phpmyadmin.net/
Result: (SSL Error)

mail.phpmyadmin.net uses an invalid security certificate.
The certificate is only valid for lists.phpmyadmin.net
Error code: SSL_ERROR_BAD_CERT_DOMAIN

fix:
use valid certificate for mail.phpmyadmin.net

in:
https://www.phpmyadmin.net/downloads/#stable
the text of downloaded links startswith /downloads/ , example:

/downloads/phpMyAdmin-latest-all-languages.zip

which also happen in Syndication links:
https://www.phpmyadmin.net/about-website/#syndicate

while the other download links on the download page don't contain the parent folder name in it, such as in:
https://www.phpmyadmin.net/downloads/#devel

phpMyAdmin-4.7+snapshot-all-languages.zip

Open https://www.phpmyadmin.net/security/feed/

<?xml version="1.0" encoding="utf-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title>phpMyAdmin security announcements</title><link>https://www.phpmyadmin.net/files/</link><description>Security announcements from the phpMyAdmin project.</description><atom:link href="https://www.phpmyadmin.net/security/feed/" rel="self"></atom:link><language>en-us</language><lastBuildDate>Tue, 17 Apr 2018 18:55:21 +0000</lastBuildDate><item><title>PMASA-2018-2</title><link>https://www.phpmyadmin.net/security/PMASA-2018-2/</link><description>&lt;p&gt;CSRF vulnerability allowing arbitrary SQL execution&lt;/p&gt;

&lt;h3&gt;Affected Versions&lt;/h3&gt;
&lt;p&gt;Version 4.8.0 is affected&lt;/p&gt;

&lt;h3&gt;CVE ID&lt;/h3&gt;

&lt;p&gt;&lt;a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=(&amp;#39;https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188&amp;#39;, u&amp;#39;CVE-2018-10188&amp;#39;)"&gt;(&amp;#39;https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188&amp;#39;, u&amp;#39;CVE-2018-10188&amp;#39;)&lt;/a&gt;&lt;/p&gt;

Decoded :

<?xml version="1.0" encoding="utf-8"?>
<rss xmlns:atom="http://www.w3.org/2005/Atom" version="2.0"><channel><title>phpMyAdmin security announcements</title><link>https://www.phpmyadmin.net/files/</link><description>Security announcements from the phpMyAdmin project.</description><atom:link href="https://www.phpmyadmin.net/security/feed/" rel="self"></atom:link><language>en-us</language><lastBuildDate>Tue, 17 Apr 2018 18:55:21 +0000</lastBuildDate><item><title>PMASA-2018-2</title><link>https://www.phpmyadmin.net/security/PMASA-2018-2/</link><description><p>CSRF vulnerability allowing arbitrary SQL execution</p>

<h3>Affected Versions</h3>
<p>Version 4.8.0 is affected</p>

<h3>CVE ID</h3>

<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=(&#39;https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188&#39;, u&#39;CVE-2018-10188&#39;)">(&#39;https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10188&#39;, u&#39;CVE-2018-10188&#39;)</a></p>

You can see that the link to the CVE contains the link to the CVE.

Seems to be because of :

Screenshots

Thunderbird

Feedly

CAA DNS record used in order to specify which CA is allowed to generate certificates for domain, more information:
https://sslmate.com/labs/caa/

fix:
Add CAA record if possible (DNS provider support it) & target CA support it as well (letsencrypt has support https://community.letsencrypt.org/t/caa-setup-for-lets-encrypt/9893)

It might be useful to have support for metalink for downloads. The good thing on it is that it can include checksums and PGP signature for automated checking. The bad thing is that there doesn't seem to be client to implement PGP verification, so we're only back to checksums (and SHA-256 is mostly not supported as well).

See https://en.wikipedia.org/wiki/Metalink

This really needs decision whether it's worth of the effort.

Run

<?php

$exts = ["zip", "tar.gz", "tar.xz"];

$hashes = ["sha256", "sha1"];

$variants = ["all-languages", "source", "english"];

$downloads = [
	'https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-' => 'phpMyAdmin-5.0+snapshot',
	'https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-' => 'phpMyAdmin-4.8+snapshot'
];

$i = 0;

foreach ($downloads as $url => $version) {
	foreach ($variants as $variant) {
		foreach ($exts as $ext) {
			$i++;
			$link = "$url$variant.$ext";
			echo $link.PHP_EOL;
			file_put_contents("${version}-$variant.$ext", file_get_contents($link));
			foreach ($hashes as $hash) {
				file_put_contents("${version}-$variant.$ext.$hash", file_get_contents($link.".$hash"));
				echo $link.".$hash".PHP_EOL;
				$i++;
			}
		}
	}
}

echo "Count: $i".PHP_EOL;

Check hashes

sha256sum --check ./*.sha256
sha1sum --check ./*.sha1

Output

SHA1 (Réussi=success, Échec=failed)

phpMyAdmin-4.8+snapshot-all-languages.tar.gz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-4.8+snapshot-all-languages.tar.xz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-4.8+snapshot-all-languages.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-4.8+snapshot-english.tar.gz: Réussi
phpMyAdmin-4.8+snapshot-english.tar.xz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-4.8+snapshot-english.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-4.8+snapshot-source.tar.gz: Réussi
phpMyAdmin-4.8+snapshot-source.tar.xz: Réussi
phpMyAdmin-4.8+snapshot-source.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-all-languages.tar.gz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-all-languages.tar.xz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-all-languages.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-english.tar.gz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-english.tar.xz: Réussi
phpMyAdmin-5.0+snapshot-english.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-source.tar.gz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-source.tar.xz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-source.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas

SHA256 (Réussi=success, Échec=failed)

phpMyAdmin-4.8+snapshot-all-languages.tar.gz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-4.8+snapshot-all-languages.tar.xz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-4.8+snapshot-all-languages.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-4.8+snapshot-english.tar.gz: Réussi
phpMyAdmin-4.8+snapshot-english.tar.xz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-4.8+snapshot-english.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-4.8+snapshot-source.tar.gz: Réussi
phpMyAdmin-4.8+snapshot-source.tar.xz: Réussi
phpMyAdmin-4.8+snapshot-source.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-all-languages.tar.gz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-all-languages.tar.xz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-all-languages.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-english.tar.gz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-english.tar.xz: Réussi
phpMyAdmin-5.0+snapshot-english.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-source.tar.gz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-source.tar.xz: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas
phpMyAdmin-5.0+snapshot-source.zip: Échec
sha1sum: Attention : 1 somme de contrôle ne correspond pas

CURL caches

curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-all-languages.zip.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-all-languages.zip.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-all-languages.tar.gz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-all-languages.tar.gz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-all-languages.tar.xz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-all-languages.tar.xz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-source.zip.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-source.zip.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-source.tar.gz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-source.tar.gz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-source.tar.xz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-source.tar.xz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-english.zip.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-english.zip.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-english.tar.gz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-english.tar.gz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-english.tar.xz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-5.0+snapshot-english.tar.xz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-all-languages.zip.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-all-languages.zip.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-all-languages.tar.gz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-all-languages.tar.gz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-all-languages.tar.xz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-all-languages.tar.xz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-source.zip.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-source.zip.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-source.tar.gz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-source.tar.gz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-source.tar.xz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-source.tar.xz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-english.zip.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-english.zip.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-english.tar.gz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-english.tar.gz.sha1  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-english.tar.xz.sha256  | grep 'last-modified: '
curl -s -I https://files.phpmyadmin.net/snapshots/phpMyAdmin-4.8+snapshot-english.tar.xz.sha1  | grep 'last-modified: '

All modified files before today are not okay.

Describe the bug

In page https://www.phpmyadmin.net/files/2.2.0/, the file to download is named "phpMyAdmin-2.1.0-php.zip" instead of "phpMyAdmin-2.2.0-php.zip". When unziped, the folder name is "phpMyAdmin-2.2.0".

To Reproduce

Navigate to https://www.phpmyadmin.net/files/2.2.0/ and see.

Expected behavior

The zip file should be named "phpMyAdmin-2.2.0-php.zip".

Screenshots

in:
https://www.phpmyadmin.net/security/PMASA-2016-58/
The second commit "Use hash_equals for checking username" is not related to the issue

in:
https://www.phpmyadmin.net/security/PMASA-2016-42/
the commit phpmyadmin/phpmyadmin@7ef96c5 return 404

in:
https://www.phpmyadmin.net/security/PMASA-2016-39/
Duplicate commits 5d427d6 & 80b03a4

in:
https://www.phpmyadmin.net/security/PMASA-2017-5/
it's missing credit in "References" section.

fix:
Add credit as in PMASA-2017-4 to PMASA-2017-5

Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.

Currently https://www.phpmyadmin.net/about/ lacks latest releases, those should be added.

Followup for phpmyadmin/phpmyadmin#12796.

It would be nice to have release data and downloads on GitHub as well. Currently when somebody browses to https://github.com/phpmyadmin/phpmyadmin/releases he gets list of releases with links to our website.

The perfect solution would:

• Upload all files to GitHub as well
• Update release notes there based on content we have on website

The website of phpMyAdmin sadly looks very outdated when we compare it with those others Open Source projects like Sequel Pro. https://www.sequelpro.com/

The SHA1 hash was practically broken (regarding collision resistance), see:
https://shattered.io/
thus it's not recommended to use it in scenarios that relay on collision resistance.
Regarding PMA it's mean to remove it's usage as checksum for downloads.
(HMAC-SHA1 [cookie auth + github api] is still safe as it's security not depend on resistance to collisions)

fix:

1. remove SHA1 checksums usage for downloadable files in:
   https://www.phpmyadmin.net/downloads/
   https://www.phpmyadmin.net/themes/
2. optional: add BLAKE2 checksums instead (b2sum tool), more information:
   https://www.gnu.org/software/coreutils/manual/html_node/b2sum-invocation.html#b2sum-invocation
   https://leastauthority.com/blog/BLAKE2-harder-better-faster-stronger-than-MD5/

SHA256 is considered secure, it's not broken even theoretically.

The checksum used in themes download is MD5:
https://www.phpmyadmin.net/themes/#all

for example:

arctic_ocean-2.11a.zip (176.0 KB, MD5: 45837793bea6e05347e301b7d40946f8)
metro-2.5.zip (1.5 MB, MD5: 8e20662416420f6e9bcf46ff683e44bc)

fix:
use SHA1 or SHA256 instead, MD5 is broken [not secure anymore]

As report by Emanuel Bronshtein,

visiting over HTTP the following websites will not redirect to HTTPS:

• http://admin.phpmyadmin.net
• http://develdocs.phpmyadmin.net
• http://reports.phpmyadmin.net/
• http://planet.phpmyadmin.net/
• http://klutz.phpmyadmin.net
• http://ci.phpmyadmin.net/
• http://hooks.phpmyadmin.net

The Weblate API we use is officially deprecated, though not yet removed.

We should migrate to the new API endpoint.

The new API uses a different style response, so we'll have to

1. Load additional pages of responses (iterating over the 'next' URL),
2. Look at the results array, and pass the data from that to where the old data directly went.

all pages of this website are missing a meta description

"Meta descriptions may be included in search results to concisely summarize page content."
it is highly recommended to provide a unique description for each page.

This also improves SEO ratings

At the themes page do I missing a direct link from the author who writes the theme. Underneath the author name can we create also a uri.

With versions 4.9.3 and 5.0.0, the website is showing 4.9.3 first. It should offer the newest download (5.0.0) first.

See also phpmyadmin/scripts#22

As report by Emanuel Bronshtein,

https://admin.phpmyadmin.net
https://klutz.phpmyadmin.net

there are more than 29 pages linked with a redirect returning a status code between 300 and 399.

and also 1 page with a 4xx code.

fixing this would improve the website overall

2. CSP Improvements (for WebSite)

https://www.phpmyadmin.net/ return the following CSP header:
content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://www.google-analytics.com/; img-src 'self' https://www.google-analytics.com/ https://www.paypalobjects.com/; style-src 'self' 'unsafe-inline'; child-src 'none'; object-src 'none'

2.1) Change Google Analytics loading

The usage of current Google Analytics code require unsafe-inline in script-src

fix: (by applying any of the below, the unsafe-inline can be removed from script-src)
move the inline code into external file
https://stackoverflow.com/questions/30939809/google-analytics-js-and-content-security-policy
or generate a hash for inline script:
https://www.w3.org/TR/2015/CR-CSP2-20150721/#script-src-hash-usage

2.2) Dynamic CSP usage

The https://www.paypalobjects.com/ in img-src is needed only in some pages, such as:

    https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/donate.html#L31
    https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/sponsors.html#L126

2.3) More Strict CSP Policy

The usage of action attribute is used in the below pages (to https://www.paypal.com/)

3. Missing CSP Policy

visiting:
https://www.phpmyadmin.net/fff/
result:

no CSP Policy sent, also the page load javascript from https://linkhelp.clients.google.com/ (need to add to script-src directive)
https://github.com/phpmyadmin/website/blob/master/pmaweb/templates/404.html#L23

The composer installation:
https://docs.phpmyadmin.net/en/latest/setup.html#installing-using-composer
And official docker image:
https://hub.docker.com/r/phpmyadmin/phpmyadmin/

not mentioned in the website at all / in downloads page at: (only in documentation)
https://www.phpmyadmin.net/downloads/

in:
https://www.phpmyadmin.net/packages.json
apparently it's possible to use SHA1 verification in checksum field (non documented yet), more information:
composer/composer#5940 (comment)

fix:

1. add checksum field for all fields except dev-master (as it's dynamic)

Here's the live support page. Here's the relevant statement:

Questions directly related to phpMyAdmin should be asked on stackoverflow.

This should be, at the least, clarified as not all questions pertaining to phpMyAdmin are on-topic (and therefore welcome) at Stack Overflow. See the following question on the meta Stack Overflow site for details about the suitability of sending your users to Stack Overflow for all support questions:

• Where to ask question about phpMyAdmin? - Meta Stack Overflow

Other sites in the Stack Exchange family that may be more appropriate for users to submit questions:

• Database Administrators Stack Exchange
• Webmasters Stack Exchange
• Server Fault – this is probably a stretch for most users as this site is for professional network and systems administrators

There is no verification details in: (while "Quick download" link exists)
https://www.phpmyadmin.net/files/

fix:

Add "Size" & "Verification" Columns to:

•    https://www.phpmyadmin.net/files/
  

as exists in "downloads" & "release" pages:

• https://www.phpmyadmin.net/downloads/
• https://www.phpmyadmin.net/files/4.6.3/

Received by email:

https://www.phpmyadmin.net/ links to https://link.packtpub.com/XJdqZr for the "Mastering phpMyAdmin 3.4 for Effective MySQL Management” book, but for me, that shortened link resolves to "Moodle 2 Administration” (https://www.packtpub.com/hardware-and-creative/moodle-2-administration) instead of https://www.packtpub.com/big-data-and-business-intelligence/mastering-phpmyadmin-34-effective-mysql-management.
I’m guessing it’s a typo, or packtpub’s link shortener has gone funny.

As report by Emanuel Bronshtein,
missing commits in https://www.phpmyadmin.net/security/PMASA-2016-30/

Visit:
https://develdocs.phpmyadmin.net/
Result (in console)

https://develdocs.phpmyadmin.net/favicon.ico Failed to load resource: the server responded with a status of 404 ()

As reported by Emanuel Bronshtein,

https://lists.phpmyadmin.net/icons/apache_pb2.png
https://lists.phpmyadmin.net/icons/

Apache/2.4.10 (Debian) Server at lists.phpmyadmin.net Port 80

fix:
1. remove icons folder.
2. add in apache configuration file:

    ServerSignature Off
    ServerTokens Prod

Expired certificate in planet.phpmyadmin.net, details:

Subject: planet.phpmyadmin.net
Issuer: Let's Encrypt Authority X3
Expires on: Dec 25, 2016
Current date: Dec 25, 2016

We should add management command, which would go through all links inside database and check them:

• Report broken links
• Report links which use http while they should use https
• Optionally upgrade http links to https

in:
https://www.phpmyadmin.net/security/
Add note regarding issues related to security hardening/improvements/features etc.. can be searched using 'hardening' label and provide link to:
https://github.com/phpmyadmin/phpmyadmin/labels/hardening

Includes front-end JavaScript libraries with known security vulnerabilities

Some third-party scripts may contain known security vulnerabilities that are easily identified and exploited by attackers. Learn more

• some links to Weblate on https://www.phpmyadmin.net/translations/

  • some *@latin links
  • zh_{CN, TW}
  • more links

• commit on https://www.phpmyadmin.net/security/PMASA-2016-36/

• commit on https://www.phpmyadmin.net/security/PMASA-2016-30/

The daily snapshot build for QA_4_8 isn't building (master seems to be okay). This output is generated:

Your requirements could not be resolved to an installable set of packages.

  Problem 1
    - pragmarx/google2fa-qrcode v1.0.2 requires pragmarx/google2fa ~4.0 -> satisfiable by pragmarx/google2fa[v4.0.0] but these conflict with your requirements or minimum-stability.
    - pragmarx/google2fa-qrcode v1.0.1 requires pragmarx/google2fa ~4.0 -> satisfiable by pragmarx/google2fa[v4.0.0] but these conflict with your requirements or minimum-stability.
    - pragmarx/google2fa-qrcode v1.0.0 requires pragmarx/google2fa ~4.0 -> satisfiable by pragmarx/google2fa[v4.0.0] but these conflict with your requirements or minimum-stability.
    - Installation request for pragmarx/google2fa-qrcode ^1.0 -> satisfiable by pragmarx/google2fa-qrcode[v1.0.0, v1.0.1, v1.0.2].


Installation failed, reverting ./composer.json to its original content.

Seems to be caused by phpmyadmin/phpmyadmin@8a7d18d#diff-9ae6a61e1603c6b8906021473d5c57faL238

Supported versions

https://www.phpmyadmin.net/downloads/

The About page needs to be updated, because the Milestone releases section is outdated.

Template file: pmaweb/templates/about.html

As report by Emanuel Bronshtein,

https://admin.phpmyadmin.net/phpmyadmin/
Running PMA version: phpMyAdmin 4.2.12deb2+deb8u2
Version detected via SETUP export, see issue: phpmyadmin/phpmyadmin#12469

fix:
1. upgrade to latest PMA version. (may require upload to debian-stable? so might wait for 4.6.5?)
2. it's better to change the folder to not-predictable name / set BF protection (Recaptcha)
3. disable exposing setup: https://admin.phpmyadmin.net/phpmyadmin/setup/

usage of old mootools (version: 1.2.1):
https://github.com/phpmyadmin/website/blob/bd438088a76c349845aab1e585413ad5c0e7602e/pmaweb/static/js/mootools.js
https://github.com/phpmyadmin/website/blob/bd438088a76c349845aab1e585413ad5c0e7602e/pmaweb/static/js/mootools-more.js

latest version is 1.6.0
http://mootools.net/
http://mootools.net/more

slimbox 1.6.4
https://github.com/phpmyadmin/website/blob/bd438088a76c349845aab1e585413ad5c0e7602e/pmaweb/static/js/slimbox.js

latest 1.8.0
http://www.digitalia.be/software/slimbox/#download

include a link to the github repo for the source of phpmyadmin

it should be on the first page

As report by Emanuel Bronshtein,

Visiting:
https://lists.phpmyadmin.net

Redirect to:
http://lists.phpmyadmin.net/mailman/listinfo

that will be used instead of nginx default error pages:
https://www.phpmyadmin.net/static/A

Note: The custom error page is already there, it just needs to be used for static files as well.

On https://www.phpmyadmin.net/themes/ we see for example three metro versions compatible with phpMyAdmin 3.5, but we should only see the latest one.