PMASA-2016-8

Announcement-ID: PMASA-2016-8

Date: 2016-01-24

Summary

Full path disclosure vulnerability in SQL parser.

Description

By calling a particular script that is part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

Severity

We consider this vulnerability to be non-critical.

Mitigation factor

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

Affected Versions

Versions 4.5.x (prior to 4.5.4) are affected.

Solution

Upgrade to phpMyAdmin 4.5.4 or newer or apply patch listed below.

References

Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.

Assigned CVE ids: CVE-2016-2044

CWE ids: CWE-661 CWE-200

Patches

The following commits have been made on the 4.5 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements