Bugzilla – Bug 982127
VUL-0: CVE-2016-5098: phpmyadmin: File Traversal Protection Bypass on Error Reporting (PMASA-2016-15)
Last modified: 2016-05-30 07:27:51 UTC
https://www.phpmyadmin.net/security/PMASA-2016-15/ Announcement-ID: PMASA-2016-15 Date: 2016-05-25 Updated: 2016-05-26 Summary File Traversal Protection Bypass on Error Reporting Description: A specially crafted payload could result in the error reporting component exposing whether an arbitrary file exists on the file system and the size of that file. The attacker must be able to intercept and modify the user's POST data and must be able to trigger a JavaScript error to the user. Mitigation: This attack can be mitigated in affected installations by setting `$cfg['Servers'][$i]['SendErrorReports'] = 'never';`. Upgrading to a more recent development commit is suggested. Affected Versions: Git 'master' development branch. No released version was vulnerable. All released versions are not affected as they use precalculated data. Assigned CVE ids: CVE-2016-5098 CWE ids: CWE-661 Patches The following commits have been made on the 4.6 branch to fix this issue: d2dc9481d2af25b035778c67eaf0bfd2d2c59dd8
git master only, closing