Announcement-ID: PMASA-2018-6
Date: 2018-12-07
Local file inclusion through transformation feature
A flaw has been found where an attacker can exploit phpMyAdmin to leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.
We consider this vulnerability to be severe.
phpMyAdmin versions from at least 4.0 through 4.8.3 are affected
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.
This vulnerability was reported by Daniel Le Gall from SCRT
Assigned CVE ids: CVE-2018-19968
The following commits have been made on the 4.8 branch to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.