Bug 443683 (CVE-2008-1924)

Summary: CVE-2008-1924 phpMyAdmin: Permission/information leak to access with apache rights
Product: [Other] Security Response Reporter: Robert Scheck <redhat-bugzilla>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: mmcgrath, robert.scheck
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-3
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-17 18:59:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robert Scheck 2008-04-22 20:34:01 UTC 
Upstream: phpMyAdmin
Announcement-ID: PMASA-2008-3
Date: 2008-04-22

Summary:
File disclosure on shared hosts via a crafted HTML.

Description:
Upstream received an advisory from Cezary Tomczak, and we wish to thank him for 
his work. It is possible to read the contents of any file that the web server's 
user can access. The exact mechanism to achieve this won't be disclosed.

Severity:
Upstream considers this vulnerability to be serious.

Mitigation factor:
If a user can upload on the same host where phpMyAdmin is running, a PHP script 
that can read files with the rights of the web server's user, the current 
advisory does not describe an additional threat.

Affected versions:
Versions before 2.11.5.2.

Solution:
Upgrade to phpMyAdmin 2.11.5.2 or newer.
References: Revision 11205
Comment 1 Fedora Update System 2008-04-22 21:30:49 UTC 
phpMyAdmin-2.11.5.2-1.fc7 has been submitted as an update for Fedora 7
Comment 2 Fedora Update System 2008-04-22 21:31:15 UTC 
phpMyAdmin-2.11.5.2-1.fc8 has been submitted as an update for Fedora 8