phpMyAdmin Multiple Path Disclosure Vulnerabilities (PMASA-2016-1, PMASA-2016-6, PMASA-2016-8)
Medium Nessus Plugin ID 90428
SynopsisThe remote web server hosts a PHP application that is affected by multiple path disclosure vulnerabilities.
DescriptionThe phpMyAdmin application hosted on the remote web server is affected by multiple path disclosure vulnerabilities in multiple scripts. An unauthenticated, remote attacker can exploit these vulnerabilities, via a specially crafted request, to disclose the full path of the directory where phpMyAdmin is installed.
Note that phpMyAdmin is also reportedly affected by multiple cross-site scripting and cross-site request forgery vulnerabilities;
however, Nessus has not tested for these.
SolutionUpgrade to phpMyAdmin version 126.96.36.199 / 188.8.131.52 / 4.5.4 or later.
Alternatively, apply the patch referenced in the vendor advisory.