Announcement-ID: PMASA-2016-8
Date: 2016-01-24
Full path disclosure vulnerability in SQL parser.
By calling a particular script that is part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.
We consider this vulnerability to be non-critical.
This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server.
Versions 4.5.x (prior to 4.5.4) are affected.
Upgrade to phpMyAdmin 4.5.4 or newer or apply patch listed below.
Thanks to Emanuel Bronshtein @e3amn2l for reporting these vulnerabilities.
Assigned CVE ids: CVE-2016-2044
The following commits have been made on the 4.5 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.