PMASA-2005-2
Announcement-ID: PMASA-2005-2
Date: 2005-02-26
Summary
Path disclosure
Description
By calling some scripts that are part of phpMyAdmin in an unexpected way (especially scripts in the libraries subdirectory), it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.
Severity
We consider those vulnerabilities to be minor (see Mitigation factor).
Mitigation factor
This path disclosure is possible on servers where the recommended setting of the PHP configuration directive <tt>display_errors</tt> is set to <tt>on</tt>, which is against the recommendations given in the PHP manual.
Affected Versions
Probably all phpMyAdmin versions.
Solution
Apply the PHP manual recommendations. Note that it's possible to apply a PHP configuration directive to a specific directory (see References).
References
About the display_errors directive:
http://www.php.net/manual/en/ref.errorfunc.php
How to apply the directive to a specific directory:
http://www.php.net/manual/en/configuration.changes.php
Assigned CVE IDs: CVE-2005-0544
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.