Red Hat Bugzilla – Bug 443683
CVE-2008-1924 phpMyAdmin: Permission/information leak to access with apache rights
Last modified: 2008-05-17 14:59:25 EDT
File disclosure on shared hosts via a crafted HTML.
Upstream received an advisory from Cezary Tomczak, and we wish to thank him for
his work. It is possible to read the contents of any file that the web server's
user can access. The exact mechanism to achieve this won't be disclosed.
Upstream considers this vulnerability to be serious.
If a user can upload on the same host where phpMyAdmin is running, a PHP script
that can read files with the rights of the web server's user, the current
advisory does not describe an additional threat.
Versions before 184.108.40.206.
Upgrade to phpMyAdmin 220.127.116.11 or newer.
References: Revision 11205
phpMyAdmin-18.104.22.168-1.fc7 has been submitted as an update for Fedora 7
phpMyAdmin-22.214.171.124-1.fc8 has been submitted as an update for Fedora 8