phpMyAdmin contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker makes a direct request to the /libraries/storage_engines.lib.php script, which will disclose the software's installation path resulting in a loss of confidentiality. While such information is relatively low risk, it is often useful in carrying out additional, more focused attacks.

Upgrade to version 2.6.4-pl4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• Security Tracker: 1015213
• Secunia Advisory ID: 17578
• CVE ID: 2005-3622 (see also: NVD)
• Related OSVDB ID: 20910 20911 20913 20914
• Keyword: FS-05-02
• Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0446.html
• Other Advisory URL: http://www.fitsec.com/advisories/FS-05-02.txt
• Vendor Specific Advisory URL: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6

• Toni Koivunen - toni.koivunenfitsec.com - Fitsec.com