PMASA-2018-6
Announcement-ID: PMASA-2018-6
Date: 2018-12-07
Summary
Local file inclusion through transformation feature
Description
A flaw has been found where an attacker can exploit phpMyAdmin to leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system.
Severity
We consider this vulnerability to be severe.
Affected Versions
phpMyAdmin versions from at least 4.0 through 4.8.3 are affected
Solution
Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below.
References
This vulnerability was reported by Daniel Le Gall from SCRT
Assigned CVE IDs: CVE-2018-19968
Patches
The following commits have been made on the 4.8 branch to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.