Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5587 to the following vulnerability: Directory traversal vulnerability in libraries/lib.inc.php in phpPgAdmin 4.2.1 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) in the _language parameter to index.php. References: http://www.milw0rm.com/exploits/7363 http://www.securityfocus.com/bid/32670 http://secunia.com/advisories/33014 Upstream bug: http://sourceforge.net/tracker/?func=detail&group_id=37132&atid=418980&aid=2422429 (no fix there yet, making sure $_language is unset before use should do the trick)
phpPgAdmin-4.2.2-1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/phpPgAdmin-4.2.2-1.fc9
phpPgAdmin-4.2.2-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/phpPgAdmin-4.2.2-1.fc10
phpPgAdmin-4.2.2-1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/phpPgAdmin-4.2.2-1.fc8
Fixed upstream in 4.2.2. Upstream patch: http://github.com/xzilla/phppgadmin/commit/b62ff9fa11f0dbed1a28568671eb31d45a5363dd
Tomas, Already pushed the package(s) to repositories :) . I contacted with phpPgAdmin team yesterday, and they provided a quick fix.
phpPgAdmin-4.2.2-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
phpPgAdmin-4.2.2-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
phpPgAdmin-4.2.2-1.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Fedora: https://admin.fedoraproject.org/updates/F10/FEDORA-2008-11564 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-11602