Announcement-ID: PMASA-2008-3

Date: 2008-04-22

Updated: 2008-04-27


File disclosure on shared hosts via a crafted HTTP POST request.


We received an advisory from Cezary Tomczak, and we wish to thank him for his work. It is possible to read the contents of any file that the web server's user can access. The exact mechanism to achieve this won't be disclosed.


We consider this vulnerability to be serious.

Mitigation factor

If a user can upload on the same host where phpMyAdmin is running, a PHP script that can read files with the rights of the web server's user, the current advisory does not describe an additional threat.

Affected Versions

Versions before


Upgrade to phpMyAdmin or newer.


Cezary Tomczak's advisory

Assigned CVE ids: CVE-2008-1924

CWE ids: CWE-661 CWE-522


The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is