Miggo Logo

CVE-2016-5730: phpMyAdmin full path disclosure vulnerability

5.3

CVSS Score
3.0

Basic Information

EPSS Score
0.78932%
Published
5/14/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
phpmyadmin/phpmyadmincomposer>= 4.0, < 4.0.10.164.0.10.16
phpmyadmin/phpmyadmincomposer>= 4.4, < 4.4.15.74.4.15.7
phpmyadmin/phpmyadmincomposer>= 4.6, < 4.6.34.6.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper error handling and input validation across multiple components. The patches explicitly address: 1) Type checks in openid.php, 2) Missing config.php directory handling, 3) Array parameter processing in FormDisplay (libraries/config/FormDisplay.php), 4) Input validation gaps in Validator class (libraries/config/Validator.php), and 5) Unsanitized error messages in validate.php. Each vulnerable function allowed unhandled exceptions/errors to leak full path information when receiving malformed inputs, as confirmed by the commit diffs and CVE description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

p*pMy**min *.*.x ***or* *.*.**.**, *.*.x ***or* *.*.**.*, *n* *.*.x ***or* *.*.* *llows r*mot* *tt**k*rs to o*t*in s*nsitiv* in*orm*tion vi* v**tors involvin* (*) *n *rr*y v*lu* to *orm*ispl*y.p*p, (*) in*orr**t **t* to v*li**t*.p*p, (*) un*xp**t** *

Reasoning

T** vuln*r**ility st*ms *rom improp*r *rror **n*lin* *n* input v*li**tion **ross multipl* *ompon*nts. T** p*t***s *xpli*itly ***r*ss: *) Typ* ****ks in `op*ni*.p*p`, *) Missin* `*on*i*.p*p` *ir**tory **n*lin*, *) *rr*y p*r*m*t*r pro**ssin* in `*orm*i