Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

phpMyAdmin 4.4.15.x < 4.4.15.9 / 4.6.x < 4.6.5 Multiple Information Disclosure

Medium

Synopsis

The remote web server contains a version of phpMyAdmin that is affected by multiple information disclosure attack vectors.

Description

Versions of phpMyAdmin 4.4.15.x prior to 4.4.15.9, and 4.6.x prior to 4.6.5 are unpatched, and therefore affected by the following vulnerabilities :

- A flaw exists in 'libraries/VersionInformation.php' related to false values being passed to the 'json_decode()' method. This may allow an authenticated, remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks. (OSVDB 148475) - A flaw exists related to export timeouts in the 'PMA_shutdownDuringExport()' function in 'libraries/export.lib.php'. This may allow an authenticated, remote attacker to disclose the software's installation path. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks. (OSVDB 148476)

Solution

Upgrade to phpMyAdmin version 4.6.5 or later. If 4.6.x cannot be obtained, version 4.4.15.9 has also been patched for these vulnerabilities.