Full path disclosure vulnerability

PMASA-2015-6

Announcement-ID: PMASA-2015-6

Date: 2015-12-25

Summary

Full path disclosure vulnerability

Description

By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

Severity

We consider these vulnerabilities to be non-critical.

Mitigation factor

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.

Affected Versions

Versions 4.0.x (prior to 4.0.10.12), 4.4.x (prior to 4.4.15.2) and 4.5.x (prior to 4.5.3.1) are affected.

Solution

Upgrade to phpMyAdmin 4.0.10.12 or newer, 4.4.15.2 or newer, 4.5.3.1 or newer or apply patch listed below.

References

Thanks to Do9gy of Tencent Security for reporting this issue.

Assigned CVE ids: CVE-2015-8669

CWE ids: CWE-661 CWE-200

Patches

The following commits have been made on the 4.0 branch to fix this issue:

• f79d30dd98e02411e33367b01af86d4125630792

The following commits have been made on the 4.4 branch to fix this issue:

• 583cb1ede5f8c81bf3f5cf90a8d1b9d8e62ae6ad

The following commits have been made on the 4.5 branch to fix this issue:

• c4d649325b25139d7c097e56e2e46cc7187fae45

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.