|Description||An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 22.214.171.124), and 4.0.x versions (prior to 126.96.36.199) are affected.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|NVD severity||medium (attack range: remote)|
Vulnerable and fixed packages
The table below lists information on source packages.
|phpmyadmin (PTS)||jessie (security), jessie||4:4.2.12-2+deb8u2||vulnerable|
The information below is based on the following data on fixed versions.
|Package||Type||Release||Fixed Version||Urgency||Origin||Debian Bugs|
The solution is to remove a configuration option. This option
is by default disabled so a default installation is not
vulnerable. It should be fairly obvious that enabling phpinfo
printing can show more information than what should be used in
a production environment. This is the motivation that it is not
solved for wheezy.