Multiple full path disclosure vulnerabilities

PMASA-2016-23

Announcement-ID: PMASA-2016-23

Date: 2016-06-23

Summary

Multiple full path disclosure vulnerabilities

Description

This PMASA contains information on multiple full-path disclosure vulnerabilities reported in phpMyAdmin.

By specially crafting requests in the following areas, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

1. Setup script
2. Example OpenID authentication script

Severity

We consider these vulnerabilities to be non-critical.

Mitigation factor

To mitigate these issues, it is possible to remove the setup script and examples subdirectories: ./setup/ and ./examples/

Affected Versions

All 4.6.x versions (prior to 4.6.3), 4.4.x versions (prior to 4.4.15.7), and 4.0.x versions (prior to 4.0.10.16) are affected

Solution

Upgrade to phpMyAdmin 4.6.3, 4.4.15.7, or 4.0.10.16 or newer or apply patches listed below.

References

Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.

Assigned CVE ids: CVE-2016-5730

CWE ids: CWE-661

Patches

The following commits have been made on the 4.0 branch to fix this issue:

• c9faf85
• e1eb5e8
• 96c6a7c
• fa7a9b7
• c795a39

The following commits have been made on the 4.4 branch to fix this issue:

• 3108270
• 961453b
• 3014c4a
• abe88ed
• 70e917c

The following commits have been made on the 4.6 branch to fix this issue:

• b0180f1
• 96e0aa3
• cd229d7
• 331c560
• 2766460

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.