netVigilance Security Advisory 4

Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior

Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter.

External References:
Mitre CVE: CAN-2004-0129
BUGTRAQ: 20040203Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior
BUGTRAQ ID (bid): 9564

phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW. There is a vulnerability in the current stable version of phpMyAdmin that allows an attacker to retrieve arbitrary files from the webserver with privileges of the webserver.

Release Date:
February 03 2004


SecureScout Testcase ID:
TC 17869 (released Feb 6th)

Vulnerable Systems:
phpMyAdmin 2.5.5-pl1 and prior

Vulnerability Type:
Directory Traversal - Allowing the Attacker to read any file on the Target Server via the .. (dot dot) Sequence.

Vendor Status:
The Vendor has been notified and has Released a Version 2.5.6-rc1 that fixes the problem

Arbitrary File Disclosure

File impacted : export.php

14:// What type of export are we doing?
15:if ($what == 'excel') {
16: $type = 'csv';
17:} else {
18: $type = $what;
22: * Defines the url to return to in case of error in a sql statement
23: */
24:require('./libraries/export/' . $type . '.php');

Exploit example:

- -- HTTP Request --


- -- HTTP Request --

The vulnerability is available even if PHP register_globals is set to off.

Cedric Cochin - netVigilance Vulnerability Research team

back to Security Advisories

    Copyrightę2004,  netVigilance, Inc.   All rights reserved