Bug 221694 (CVE-2007-0095)
Summary: | CVE-2007-0095: phpMyAdmin <= 2.9.1.1 information disclosure | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ville Skyttä <ville.skytta> | ||||
Component: | phpMyAdmin | Assignee: | Mike McGrath <mmcgrath> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | low | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | fedora-security-list, redhat-bugzilla | ||||
Target Milestone: | --- | Keywords: | Reopened, Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | 2.11.3-1.fc7 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2007-12-10 20:44:51 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Ville Skyttä
2007-01-06 08:34:35 UTC
For any Fedora installation, you know the path just from inspecting the RPM. But this does disclose that the site is probably run on Fedora, which could conceivably be an issue. Not that our Apache doesn't by default do the same thing, but that's configurable. So yes, this is an issue, although it's a terribly minor one. I agree with Tibbs, I'm going to keep an eye on this to see if anything more comes of it I'll update. Otherwise I'll wait until the next version comes out. 2.9.2 is out. Its built and should be on the mirrors soon. It doesn't look like 2.9.2 fixes this though. The demo server at http://pma.cihar.com/STABLE/ runs 2.9.2, but directly requesting http://pma.cihar.com/STABLE/themes/darkblue_orange/layout.inc.php after logging in reveals a path: "Fatal error: Call to a member function getImgPath() on a non-object in /srv/http/pma.cihar.com/STABLE/themes/darkblue_orange/layout.inc.php" The demo server in comment 4 seems to have been updated to 2.10.0.2 but still shows the same problem. The demo server in comment 4 now advertises usage of 2.11.1.2 and the problem still occurs. Same problem on phpMyAdmin 2.11.2.2 further on: Fatal error: Call to a member function on a non-object in /srv/www/phpMyAdmin/themes/darkblue_orange/layout.inc.php on line 75 Created attachment 282211 [details] Proposal of a possible fix for CVE-2007-0095 Can somebody please review this patch carefully, because upstream seems not to be interested to solve this issue at all. phpMyAdmin-2.11.3-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report. phpMyAdmin-2.11.3-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. |