Fluid Attacks Database

Description

phpMyAdmin full path disclosure vulnerability phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 allows remote attackers to obtain sensitive information via vectors involving (1) an array value to FormDisplay.php, (2) incorrect data to validate.php, (3) unexpected data to Validator.php, (4) a missing config directory during setup, or (5) an incorrect OpenID identifier data type, which reveals the full path in an error message.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	phpmyadmin/phpmyadmin	>=4.0 <4.0.10.16 \|\| >=4.4 <4.4.15.7 \|\| >=4.6 <4.6.3	4.0.10.16, 4.4.15.7, 4.6.3
debian 13	phpmyadmin	>=0 <4:4.6.3-1	4:4.6.3-1
debian 12	phpmyadmin	>=0 <4:4.6.3-1	4:4.6.3-1
debian 11	phpmyadmin	>=0 <4:4.6.3-1	4:4.6.3-1

Aliases

1. CVE-2016-57302. NVD-2016-57303. OSV-2016-57304. OSV-DEBIAN-2016-57305. GCVE-2016-57306. security.gentoo.org7. SECURITY-TRACKER-CVE-2016-5730

References

1. https://github.com/phpmyadmin/phpmyadmin/commit/27664605b945b13e1d2b71adea822ace2099cc962. https://github.com/phpmyadmin/phpmyadmin/commit/331c560fbfa0e7d2dce674b5e88e983c5f2a451d3. https://github.com/phpmyadmin/phpmyadmin/commit/96e0aa35653ec0c66084a7e9343465e16c1f769b4. https://github.com/phpmyadmin/phpmyadmin/commit/b0180f18c828706af3a6800f0fb01a536d3ef8c75. https://github.com/phpmyadmin/phpmyadmin/commit/cd229d718e8cb4bc8ba32446beaa82d27727b6f06. https://www.phpmyadmin.net/security/PMASA-2016-237. http://lists.opensuse.org/opensuse-updates/2016-06/msg00113.html8. http://lists.opensuse.org/opensuse-updates/2016-06/msg00114.html9. http://www.securityfocus.com/bid/91379