phpMyAdmin 2.7.0-beta1 and earlier allows remote attackers to obtain the full path of the server via direct requests to multiple scripts in the libraries directory.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Phpmyadmin | Phpmyadmin | 2.2.0 (including) | 2.2.0 (including) |
| Phpmyadmin | Phpmyadmin | 2.2.7_pl1 (including) | 2.2.7_pl1 (including) |
| Phpmyadmin | Phpmyadmin | 2.5.2_pl1 (including) | 2.5.2_pl1 (including) |
| Phpmyadmin | Phpmyadmin | 2.5.3 (including) | 2.5.3 (including) |
| Phpmyadmin | Phpmyadmin | 2.5.4 (including) | 2.5.4 (including) |
| Phpmyadmin | Phpmyadmin | 2.5.5_pl1 (including) | 2.5.5_pl1 (including) |
| Phpmyadmin | Phpmyadmin | 2.5.6_rc2 (including) | 2.5.6_rc2 (including) |
| Phpmyadmin | Phpmyadmin | 2.5.7_pl1 (including) | 2.5.7_pl1 (including) |
| Phpmyadmin | Phpmyadmin | 2.6.0_pl3 (including) | 2.6.0_pl3 (including) |
| Phpmyadmin | Phpmyadmin | 2.6.1_pl3 (including) | 2.6.1_pl3 (including) |
| Phpmyadmin | Phpmyadmin | 2.6.2_pl1 (including) | 2.6.2_pl1 (including) |
| Phpmyadmin | Phpmyadmin | 2.6.3_pl1 (including) | 2.6.3_pl1 (including) |
| Phpmyadmin | Phpmyadmin | 2.6.4_pl3 (including) | 2.6.4_pl3 (including) |
| Phpmyadmin | Phpmyadmin | 2.6.4_pl4 (including) | 2.6.4_pl4 (including) |
| Phpmyadmin | Phpmyadmin | 2.7.0_beta1 (including) | 2.7.0_beta1 (including) |
| Phpmyadmin | Ubuntu | upstream | * |
References
- http://marc.info/?l=bugtraq\u0026m=113208319104035\u0026w=2
- http://securityreason.com/securityalert/185
- http://securitytracker.com/id?1015213
- http://www.fitsec.com/advisories/FS-05-02.txt
- http://www.osvdb.org/20911
- http://www.osvdb.org/20912
- http://www.osvdb.org/20913
- http://www.osvdb.org/20914
- http://marc.info/?l=bugtraq\u0026m=113208319104035\u0026w=2
- http://securityreason.com/securityalert/185
- http://securitytracker.com/id?1015213
- http://www.fitsec.com/advisories/FS-05-02.txt
- http://www.osvdb.org/20911
- http://www.osvdb.org/20912
- http://www.osvdb.org/20913
- http://www.osvdb.org/20914