Bug 662366 (CVE-2010-4481)

Summary: CVE-2010-4481 phpMyAdmin: information disclosure flaw (PMASA-2010-10)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: kevin, mmcgrath, redhat-bugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-30 07:14:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 662367    
Bug Blocks:    

Description Vincent Danen 2010-12-12 04:26:12 UTC 
PMASA-2010-10 [1] indicates that unauthenticated users were able to display phpinfo() output if phpMyAdmin was enabled to show it (which is not the default).  The phpinfo.php script incorrectly defined the PMA_MINIMUM_COMMON constant, which is used to skip authentication.  This has been corrected [2] in 3.4.0-beta1.

[1] http://www.phpmyadmin.net/home_page/security/PMASA-2010-10.php
[2] http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commitdiff;h=4d9fd005671b05c4d74615d5939ed45e4d019e4c
Comment 1 Vincent Danen 2010-12-12 04:27:41 UTC 
Created phpMyAdmin tracking bugs for this issue

Affects: fedora-all [bug 662367]
Comment 2 Robert Scheck 2011-05-29 20:53:37 UTC 
May somebody please close this report? phpMyAdmin 3.3.10 is on all active
Fedora and EPEL branches available that have PHP >= 5.2.
Comment 3 Tomas Hoger 2011-05-30 07:14:28 UTC 
Robert, feel free to close Security Response product bugs for phpMyAdmin when you're done with them.  I believe you should be able to do that.

phpMyAdmin is currently in Fedora and EPEL and no other product that uses Red Hat bugzilla.
Comment 4 Robert Scheck 2011-05-30 08:36:38 UTC 
Tomas, my main problem is that Bugzilla doesn't let me do such actions...sorry.
Comment 5 Kevin Fenzi 2011-06-01 16:42:27 UTC 
Robert: You need to make sure your bugzilla email matches up with your fas email in order to have the correct privs. In this case it doesn't, so your current bugzilla account doesn't get the privs. 

If you change your bugzilla email and/or fas account email to match you should be all set. ;)