PhpMyAdminPHPMYADMIN:PMASA-2010-10Possible information disclosure.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
77.7%
PMASA-2010-10
Announcement-ID: PMASA-2010-10
Date: 2010-12-07
Updated: 2010-02-16
Summary
Possible information disclosure.
Description
Unauthenticated user was able to display phpinfo output if phpMyAdmin was enabled to show it.
Severity
The issue is considered minor, because this feature is not enabled in default installation.
Mitigation factor
Default installation is not affected, because $$cfg[βShowPhpInfoβ] is false by default.
Affected Versions
All versions prior to 3.4.0-beta1.
Solution
Upgrade to phpMyAdmin 3.4.0-beta1 or newer or apply patch listed below. Due to its minor impact, a fix will be included in the next regular release which is 3.3.10.
References
This issue was reported by JΓΆrg Sommer.
Assigned CVE ids: CVE-2010-4481
Patches
The following commits have been made to fix this issue:
The following commits have been made on the 2.11 branch to fix this issue:
The following commits have been made on the 3.3 branch to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS
Percentile
77.7%