Vigil@nce - phpMyAdmin: path disclosure via show_config_errors.php
April 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can call the show_config_errors.php script of
phpMyAdmin, in order to generate an error displaying the
installation access path.
Severity: 1/4
Creation date: 29/03/2012
IMPACTED PRODUCTS
– phpMyAdmin
DESCRIPTION OF THE VULNERABILITY
The show_config_errors.php script of phpMyAdmin displays errors
contained in the config.inc.php (CONFIG_FILE) file.
However, if this file does not exist, an error occurs, and the
full file path name is displayed in the error message.
An attacker can therefore call the show_config_errors.php script
of phpMyAdmin, in order to generate an error displaying the
installation access path.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/phpMyAdmin-path-disclosure-via-show-config-errors-php-11511