Bug 443683 - (CVE-2008-1924) CVE-2008-1924 phpMyAdmin: Permission/information leak to access with apache rights
CVE-2008-1924 phpMyAdmin: Permission/information leak to access with apache r...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://www.phpmyadmin.net/home_page/s...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-22 16:34 EDT by Robert Scheck
Modified: 2008-05-17 14:59 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-17 14:59:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Robert Scheck 2008-04-22 16:34:01 EDT
Upstream: phpMyAdmin
Announcement-ID: PMASA-2008-3
Date: 2008-04-22

Summary:
File disclosure on shared hosts via a crafted HTML.

Description:
Upstream received an advisory from Cezary Tomczak, and we wish to thank him for 
his work. It is possible to read the contents of any file that the web server's 
user can access. The exact mechanism to achieve this won't be disclosed.

Severity:
Upstream considers this vulnerability to be serious.

Mitigation factor:
If a user can upload on the same host where phpMyAdmin is running, a PHP script 
that can read files with the rights of the web server's user, the current 
advisory does not describe an additional threat.

Affected versions:
Versions before 2.11.5.2.

Solution:
Upgrade to phpMyAdmin 2.11.5.2 or newer.
References: Revision 11205
Comment 1 Fedora Update System 2008-04-22 17:30:49 EDT
phpMyAdmin-2.11.5.2-1.fc7 has been submitted as an update for Fedora 7
Comment 2 Fedora Update System 2008-04-22 17:31:15 EDT
phpMyAdmin-2.11.5.2-1.fc8 has been submitted as an update for Fedora 8

Note You need to log in before you can comment on or make changes to this bug.