phpmyadmin is vulnerable to arbitrary file read. An attacker is able to read any file on the server using a rogue MySQL server, when AllowArbitraryServer
is set to true
or when mysql.allow_local_infile
is enabled by default. This is due to a bug in PHP, which does not honor phpMyadmin attempts to block the use of LOAD DATA INFILE
.