Announcement-ID: PMASA-2016-8

Date: 2016-01-24


Full path disclosure vulnerability in SQL parser.


By calling a particular script that is part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.


We consider this vulnerability to be non-critical.

Mitigation factor

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

Affected Versions

Versions 4.5.x (prior to 4.5.4) are affected.


Upgrade to phpMyAdmin 4.5.4 or newer or apply patch listed below.


Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.

Assigned CVE ids: CVE-2016-2044

CWE ids: CWE-661 CWE-200


The following commits have been made on the 4.5 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is