Announcement-ID: PMASA-2005-2

Date: 2005-02-26


Path disclosure


By calling some scripts that are part of phpMyAdmin in an unexpected way (especially scripts in the libraries subdirectory), it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.


We consider those vulnerabilities to be minor (see Mitigation factor).

Mitigation factor

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive <tt>display_errors</tt> is set to <tt>on</tt>, which is against the recommendations given in the PHP manual.

Affected Versions

Probably all phpMyAdmin versions.


Apply the PHP manual recommendations. Note that it's possible to apply a PHP configuration directive to a specific directory (see References).


About the display_errors directive:
How to apply the directive to a specific directory:

Assigned CVE ids: CVE-2005-0544

CWE ids: CWE-661 CWE-200

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is