PMASA-2016-36

Announcement-ID: PMASA-2016-36

Date: 2016-07-12

Summary

Local file exposure through symlinks with UploadDir

Description

A vulnerability was found where a user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user.

Severity

We consider this vulnerability to be serious, however due to the mitigation factors the default state is not vulnerable.

Mitigation factor

1) The installation must be run with UploadDir configured (not the default) 2) The user must be able to create a symlink in the UploadDir 3) The user running the phpMyAdmin application must be able to read the file

Affected Versions

All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected

Solution

Upgrade to phpMyAdmin 4.6.4, 4.4.15.8, 4.0.10.17, or newer or apply patch listed below.

References

Thanks to Emanuel Bronshtein @e3amn2l for reporting this vulnerability.

Assigned CVE ids: CVE-2016-6613

CWE ids: CWE-661

Patches

The following commits have been made on the 4.0 branch to fix this issue:

• ab05803a4257c12ee75c3cf1cbc941b3ab1dcf7e

The following commits have been made on the 4.4 branch to fix this issue:

• c976baa8f6606cf4f127bcd44bf8a2b79459c550

The following commits have been made on the 4.6 branch to fix this issue:

• 0d57c09bd582f6f138bb4583374a83b673520fa7

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements