These issues are known for more than a year at least to Michal.
Moreover, the first one (same domain ClickJacking) could be hardly
fixed because phpMyAdmin uses frames. So it's more like a design
decision (phpMyAdmin traded security and user experience for potential
> I find it troubling that a so-called security expert is discussing
> unfixed security holes in a public forum. Good work, thanks.
>> The difference between Adminer and phpMyAdmin is that Adminer is
>> designed from start as a secure application and that security is the
>> number one priority in development of Adminer. You are right that the
>> published security fixes of phpMyAdmin is incomplete. For example the
>> ClickJacking protection reported by me and partially fixed by you is
>> not included in this list. And it is still not fixed completely
>> (ClickJacking is still possible from the same domain). Another unfixed
>> problem is with Referer leakage which you know about also for more
>> than a year. Both are mentioned in the comparison.