File Traversal Protection Bypass on Error Reporting

PMASA-2016-15

Announcement-ID: PMASA-2016-15

Date: 2016-05-25

Updated: 2016-05-26

Summary

File Traversal Protection Bypass on Error Reporting

Description

A specially crafted payload could result in the error reporting component exposing whether an arbitrary file exists on the file system and the size of that file.

The attacker must be able to intercept and modify the user’s POST data and must be able to trigger a JavaScript error to the user.

Updated to include CVE ID.

Severity

We consider this to be non-critical.

Mitigation factor

This attack can be mitigated in affected installations by setting $cfg['Servers'][$i]['SendErrorReports'] = 'never';. Upgrading to a more recent development commit is suggested.

Affected Versions

Git ‘master’ development branch. No released version was vulnerable.

Unaffected Versions

All released versions are not affected as they use precalculated data.

Solution

Upgrade to a more recent snapshot or release version.

References

This issue was found thanks to Mozilla SOS program.

Assigned CVE ids: CVE-2016-5098

CWE ids: CWE-661

Patches

The following commits have been made on the 4.6 branch to fix this issue:

• d2dc9481d2af25b035778c67eaf0bfd2d2c59dd8

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.