VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 16, 2005· Updated Jun 16, 2026

CVE-2005-3622

CVE-2005-3622

Description

phpMyAdmin 2.7.0-beta1 and earlier allows remote attackers to obtain the full path of the server via direct requests to multiple scripts in the libraries directory.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

16
  • PhpMyAdmin/phpMyAdmin16 versions
    cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0:*:*:*:*:*:*:*+ 15 more
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.0:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.2.7_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.2_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.5_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.6_rc2:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.5.7_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.0_pl3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.1_pl3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.2_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.3_pl1:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl3:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.6.4_pl4:*:*:*:*:*:*:*
    • cpe:2.3:a:phpmyadmin:phpmyadmin:2.7.0_beta1:*:*:*:*:*:*:*
    • (no CPE)range: <=2.7.0-beta1

Patches

Vulnerability mechanics

Root cause

"Direct access to library scripts causes PHP error messages that leak the full server filesystem path."

Attack vector

An attacker sends direct HTTP requests to any of the listed library scripts (e.g., `libraries/string.lib.php`). Because these scripts are not designed to be invoked directly, PHP error messages or warnings reveal the absolute filesystem path of the web server. No authentication or special configuration is required.

Affected code

Multiple scripts in the `libraries/` directory, including `string.lib.php`, `sqlparser.lib.php`, `common.lib.php`, and others, directly disclose the full server path when requested without proper context. The advisory lists over 20 such files that fail to prevent direct access.

What the fix does

The advisory does not include a patch diff. The recommended fix is to add a guard at the top of each library script that checks whether the script is being included from a legitimate entry point and exits if accessed directly, preventing PHP from emitting path-containing error messages.

Preconditions

  • networkAttacker must be able to send HTTP requests to the phpMyAdmin installation
  • authNo authentication or special configuration required

Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.