diff --git a/ChangeLog b/ChangeLog
index 4372f0e23031..28f5fe7a3acf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.3.13.1 (Not yet released)
+- bug #4899 [security] CSRF vulnerability in setup
+
 4.3.13.0 (2015-03-29)
 - bug #4803 "Show hidden items" is sometimes hidden
 - bug #4807 Breaks when sorting by multiple columns while using UNION
diff --git a/libraries/url_generating.lib.php b/libraries/url_generating.lib.php
index 0641f5aa334f..fec864eba91e 100644
--- a/libraries/url_generating.lib.php
+++ b/libraries/url_generating.lib.php
@@ -179,6 +179,7 @@ function PMA_URL_getCommon($params = array(), $encode = 'html', $divider = '?')
     if (isset($GLOBALS['server'])
         && $GLOBALS['server'] != $GLOBALS['cfg']['ServerDefault']
         && ! isset($params['server'])
+        && ! defined('PMA_SETUP')
     ) {
         $params['server'] = $GLOBALS['server'];
     }
diff --git a/setup/frames/form.inc.php b/setup/frames/form.inc.php
index 2fb2cda0f447..4e25bfe1d2c3 100644
--- a/setup/frames/form.inc.php
+++ b/setup/frames/form.inc.php
@@ -19,8 +19,8 @@
 
 require './libraries/config/setup.forms.php';
 
-$formset_id = filter_input(INPUT_GET, 'formset');
-$mode = filter_input(INPUT_GET, 'mode');
+$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null;
+$mode = isset($_GET['mode']) ? $_GET['mode'] : null;
 if (! isset($forms[$formset_id])) {
     PMA_fatalError(__('Incorrect formset, check $formsets array in setup/frames/form.inc.php!'));
 }
diff --git a/setup/frames/index.inc.php b/setup/frames/index.inc.php
index c291c3c3275d..2c341ec2c99a 100644
--- a/setup/frames/index.inc.php
+++ b/setup/frames/index.inc.php
@@ -174,12 +174,12 @@
         echo '<td>' . htmlspecialchars($cf->getServerDSN($id)) . '</td>';
         echo '<td style="white-space: nowrap">';
         echo '<small>';
-        echo '<a href="?page=servers' . $separator
-            . 'mode=edit' . $separator . 'id=' . $id . '">'
+        echo '<a href="' . PMA_URL_getCommon() . $separator . 'page=servers'
+            . $separator . 'mode=edit' . $separator . 'id=' . $id . '">'
             . __('Edit') . '</a>';
         echo ' | ';
-        echo '<a href="?page=servers' . $separator
-            . 'mode=remove' . $separator . 'id=' . $id . '">'
+        echo '<a href="' . PMA_URL_getCommon() . $separator . 'page=servers'
+            . $separator . 'mode=remove' . $separator . 'id=' . $id . '">'
             . __('Delete') . '</a>';
         echo '</small>';
         echo '</td>';
@@ -308,7 +308,6 @@
 echo '<a href="http://www.phpmyadmin.net/">' . __('phpMyAdmin homepage') . '</a>';
 echo '<a href="http://sourceforge.net/donate/index.php?group_id=23067">'
     .  __('Donate') . '</a>';
-echo '<a href="?version_check=1' . $separator
-    . 'token=' . $_SESSION[' PMA_token '] . '">'
+echo '<a href="' .  PMA_URL_getCommon() . $separator . 'version_check=1">'
     . __('Check for latest version') . '</a>';
 echo '</div>';
diff --git a/setup/frames/menu.inc.php b/setup/frames/menu.inc.php
index d82dce07f261..a78c84d689fe 100644
--- a/setup/frames/menu.inc.php
+++ b/setup/frames/menu.inc.php
@@ -10,11 +10,11 @@
     exit;
 }
 
-$formset_id = filter_input(INPUT_GET, 'formset');
+$formset_id = isset($_GET['formset']) ? $_GET['formset'] : null;
 
 $separator = PMA_URL_getArgSeparator('html');
 echo '<ul>';
-echo '<li><a href="index.php"'
+echo '<li><a href="index.php' . PMA_URL_getCommon() . '"'
     . ($formset_id === null ? ' class="active' : '')
     . '">' . __('Overview') . '</a></li>';
 
@@ -28,7 +28,8 @@
 );
 
 foreach ($formsets as $formset => $label) {
-    echo '<li><a href="?page=form' . $separator . 'formset=' . $formset . '" '
+    echo '<li><a href="' . PMA_URL_getCommon() . $separator . 'page=form'
+        . $separator . 'formset=' . $formset . '" '
         . ($formset_id === $formset ? ' class="active' : '')
         . '">' . $label . '</a></li>';
 }
diff --git a/setup/frames/servers.inc.php b/setup/frames/servers.inc.php
index 87c5cee1d7fe..859a784816f0 100644
--- a/setup/frames/servers.inc.php
+++ b/setup/frames/servers.inc.php
@@ -19,8 +19,8 @@
 
 require './libraries/config/setup.forms.php';
 
-$mode = filter_input(INPUT_GET, 'mode');
-$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
+$mode = isset($_GET['mode']) ? $_GET['mode'] : null;
+$id = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null;
 
 $cf = $GLOBALS['ConfigFile'];
 $server_exists = !empty($id) && $cf->get("Servers/$id") !== null;
diff --git a/setup/index.php b/setup/index.php
index f6fa6215b1c9..dd9fb23e73d7 100644
--- a/setup/index.php
+++ b/setup/index.php
@@ -12,7 +12,7 @@
  */
 require './lib/common.inc.php';
 
-$page = filter_input(INPUT_GET, 'page');
+$page = isset($_GET['page']) ? $_GET['page'] : null;
 $page = preg_replace('/[^a-z]/', '', $page);
 if ($page === '') {
     $page = 'index';
@@ -23,7 +23,7 @@
 }
 
 // Handle done action info
-$action_done = filter_input(INPUT_GET, 'action_done');
+$action_done = isset($_GET['action_done']) ? $_GET['action_done'] : null;
 $action_done = preg_replace('/[^a-z_]/', '', $action_done);
 
 PMA_noCacheHeader();
diff --git a/setup/lib/form_processing.lib.php b/setup/lib/form_processing.lib.php
index 5d762e76c5d9..db80e44ec5c4 100644
--- a/setup/lib/form_processing.lib.php
+++ b/setup/lib/form_processing.lib.php
@@ -15,7 +15,7 @@
  */
 function PMA_Process_formset(FormDisplay $form_display)
 {
-    if (filter_input(INPUT_GET, 'mode') == 'revert') {
+    if (isset($_GET['mode']) && $_GET['mode'] == 'revert') {
         // revert erroneous fields to their default values
         $form_display->fixErrors();
         PMA_generateHeader303();
@@ -35,10 +35,10 @@ function PMA_Process_formset(FormDisplay $form_display)
 
     // form has errors, show warning
     $separator = PMA_URL_getArgSeparator('html');
-    $page = filter_input(INPUT_GET, 'page');
-    $formset = filter_input(INPUT_GET, 'formset');
+    $page = isset($_GET['page']) ? $_GET['page'] : null;
+    $formset = isset($_GET['formset']) ? $_GET['formset'] : null;
     $formset = $formset ? "{$separator}formset=$formset" : '';
-    $formId = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT);
+    $formId = PMA_isValid($_GET['id'], 'numeric') ? $_GET['id'] : null;
     if ($formId === null && $page == 'servers') {
         // we've just added a new server, get its id
         $formId = $form_display->getConfigFile()->getServerCount();
@@ -48,15 +48,18 @@ function PMA_Process_formset(FormDisplay $form_display)
     <div class="error">
         <h4><?php echo __('Warning') ?></h4>
         <?php echo __('Submitted form contains errors') ?><br />
-        <a href="?page=<?php echo $page . $formset . $formId . $separator ?>mode=revert">
+        <a href="<?php echo PMA_URL_getCommon() . $separator ?>
+            page=<?php echo $page . $formset . $formId . $separator ?>mode=revert">
             <?php echo __('Try to revert erroneous fields to their default values')
             ?>
         </a>
     </div>
     <?php $form_display->displayErrors() ?>
-    <a class="btn" href="index.php"><?php echo __('Ignore errors') ?></a>
+    <a class="btn" href="index.php<?php echo PMA_URL_getCommon() ?>">
+        <?php echo __('Ignore errors') ?></a>
     &nbsp;
-    <a class="btn" href="?page=<?php echo $page . $formset . $formId
+    <a class="btn" href="<?php echo PMA_URL_getCommon() . $separator ?>
+        page=<?php echo $page . $formset . $formId
         . $separator ?>mode=edit"><?php echo __('Show form') ?></a>
     <?php
 }
diff --git a/setup/validate.php b/setup/validate.php
index fba2725dc36a..3c070f29abe3 100644
--- a/setup/validate.php
+++ b/setup/validate.php
@@ -16,8 +16,10 @@
 
 header('Content-type: application/json');
 
-$vids = explode(',', filter_input(INPUT_POST, 'id'));
-$values = json_decode(filter_input(INPUT_POST, 'values'));
+$ids = isset($_POST['id']) ? $_POST['id'] : null;
+$vids = explode(',', $ids);
+$vals = isset($_POST['values']) ? $_POST['values'] : null;
+$values = json_decode($vals);
 if (!($values instanceof stdClass)) {
     PMA_fatalError(__('Wrong data'));
 }