Announcement-ID: PMASA-2005-2
Date: 2005-02-26
Path disclosure
By calling some scripts that are part of phpMyAdmin in an unexpected way (especially scripts in the libraries subdirectory), it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed.
We consider those vulnerabilities to be minor (see Mitigation factor).
This path disclosure is possible on servers where the recommended setting of the PHP configuration directive <tt>display_errors</tt> is set to <tt>on</tt>, which is against the recommendations given in the PHP manual.
Probably all phpMyAdmin versions.
Apply the PHP manual recommendations. Note that it's possible to apply a PHP configuration directive to a specific directory (see References).
About the display_errors directive:
http://www.php.net/manual/en/ref.errorfunc.php
How to apply the directive to a specific directory:
http://www.php.net/manual/en/configuration.changes.php
Assigned CVE ids: CVE-2005-0544
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.