PMASA-2010-10

Announcement-ID: PMASA-2010-10

Date: 2010-12-07

Updated: 2010-02-16

Summary

Possible information disclosure.

Description

Unauthenticated user was able to display phpinfo output if phpMyAdmin was enabled to show it.

Severity

The issue is considered minor, because this feature is not enabled in default installation.

Mitigation factor

Default installation is not affected, because $$cfg['ShowPhpInfo'] is false by default.

Affected Versions

All versions prior to 3.4.0-beta1.

Solution

Upgrade to phpMyAdmin 3.4.0-beta1 or newer or apply patch listed below. Due to its minor impact, a fix will be included in the next regular release which is 3.3.10.

References

This issue was reported by Jörg Sommer.

Assigned CVE ids: CVE-2010-4481

CWE ids: CWE-661 CWE-200

Patches

The following commits have been made to fix this issue:

The following commits have been made on the 2.11 branch to fix this issue:

The following commits have been made on the 3.3 branch to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements