Multiple full path disclosure flaws were found in various components of phpMyAdmin, a tool written in PHP intended to handle the administration of MySQL over the World Wide Web. When the PHP on system in question was configured to display errors (display_errors directive set to on), a remote attacker could provide a specially-crafted web page that, when processed might (previously) reveal full path of the directory where phpMyAdmin instance was installed. Upstream advisory: [1] http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php Relevant patches: * master: https://github.com/phpmyadmin/phpmyadmin/commit/0fea53b7b82134ce0e1979a71b7ce080b5b6ff9a https://github.com/phpmyadmin/phpmyadmin/commit/8e4fe7c57a976f2ce9a6931687f4697d519111ec https://github.com/phpmyadmin/phpmyadmin/commit/7992beb8e42f2a4a3dab275b119d1ebd58e3b164 https://github.com/phpmyadmin/phpmyadmin/commit/142e465c80a1fb3d71e214d29c566c15a416518d * 3.5.x: https://github.com/phpmyadmin/phpmyadmin/commit/142e465c80a1fb3d71e214d29c566c15a416518d https://github.com/phpmyadmin/phpmyadmin/commit/63848b24389dfabda8306112e20742b3ff7b8b12 https://github.com/phpmyadmin/phpmyadmin/commit/4cc91616057d7517df306fe27b291c9639493d88 https://github.com/phpmyadmin/phpmyadmin/commit/5d49c44fb862bfdfb8205ff15e8469cfb1b1c5d9 https://github.com/phpmyadmin/phpmyadmin/commit/2f93578e20fd422f922183254dd50318d03a3e24 https://github.com/phpmyadmin/phpmyadmin/commit/8559162ebc8ce822fa01ac429a6aab08cfa4ceda https://github.com/phpmyadmin/phpmyadmin/commit/1c1e3dca2b0cdfe10615f51a73b7d00718ad8d4b
This issue affects the latest version of the phpMyAdmin package, as shipped with Fedora release of 18, 19, Fedora EPEL-6, and Fedora EPEL-5. Please schedule an update.
Created phpMyAdmin tracking bugs for this issue: Affects: epel-5 [bug 989674]
Created phpMyAdmin tracking bugs for this issue: Affects: fedora-all [bug 989678] Affects: epel-6 [bug 989679]
Based on: http://www.openwall.com/lists/oss-security/2013/07/30/1 the CVE identifiers for PMASA-2013-12 got assigned as follows: "Use CVE-2013-4998 for the path-disclosure issues affecting both 3.5.x and 4.0.x (approximately three affected files). Use CVE-2013-4999 for the path-disclosure issues affecting only version 4.0.x (approximately two affected files). Use CVE-2013-5000 for the path-disclosure issues affecting only version 3.5.x (several affected files)."
phpMyAdmin-4.2.6-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-4.2.6-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-4.0.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin4-4.0.10.3-2.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.