PMASA-2018-6

Announcement-ID: PMASA-2018-6

Date: 2018-12-07

Summary

Local file inclusion through transformation feature

Description

A flaw has been found where an attacker can exploit phpMyAdmin to leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.

Severity

We consider this vulnerability to be severe.

Affected Versions

phpMyAdmin versions from at least 4.0 through 4.8.3 are affected

Solution

Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.

References

This vulnerability was reported by Daniel Le Gall from SCRT

Assigned CVE ids: CVE-2018-19968

CWE ids: CWE-661 CWE-98

Patches

The following commits have been made on the 4.8 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements