Bringing MySQL to the web

PMASA-2005-2

Announcement-ID: PMASA-2005-2

Date: 2005-02-26

Summary

Path disclosure

Description

By calling some scripts that are part of phpMyAdmin in an unexpected way (especially scripts in the libraries subdirectory), it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.

Severity

We consider those vulnerabilities to be minor (see Mitigation factor).

Mitigation factor

This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual.

Affected Versions

Probably all phpMyAdmin versions.

Solution

Apply the PHP manual recommendations. Note that it's possible to apply a PHP configuration directive to a specific directory (see References).

References

About the display_errors directive:
http://www.php.net/manual/en/ref.errorfunc.php
How to apply the directive to a specific directory:
http://www.php.net/manual/en/configuration.changes.php

Assigned CVE ids: CVE-2005-0544

CWE ids: CWE-661 CWE-200

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.