Bug 989660 - (CVE-2013-4998, CVE-2013-4999, CVE-2013-5000) CVE-2013-4998 CVE-2013-4999 CVE-2013-5000 phpMyAdmin: Multiple full path disclosure flaws (PMASA-2013-12)
CVE-2013-4998 CVE-2013-4999 CVE-2013-5000 phpMyAdmin: Multiple full path disc...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130728,repor...
: Security
Depends On: 989674 989678 989679 989881
Blocks: 989687
  Show dependency treegraph
 
Reported: 2013-07-29 13:10 EDT by Jan Lieskovsky
Modified: 2014-10-09 15:55 EDT (History)
7 users (show)

See Also:
Fixed In Version: phpMyAdmin 3.5.8.2, phpMyAdmin 4.0.4.2
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-07 01:18:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2013-07-29 13:10:17 EDT
Multiple full path disclosure flaws were found in various components of phpMyAdmin, a tool written in PHP intended to handle the administration of MySQL over the World Wide Web. When the PHP on system in question was configured to display errors (display_errors directive set to on), a remote attacker could provide a specially-crafted web page that, when processed might (previously) reveal full path of the directory where phpMyAdmin instance was installed.

Upstream advisory:
[1] http://www.phpmyadmin.net/home_page/security/PMASA-2013-12.php

Relevant patches:
* master:
    https://github.com/phpmyadmin/phpmyadmin/commit/0fea53b7b82134ce0e1979a71b7ce080b5b6ff9a
    https://github.com/phpmyadmin/phpmyadmin/commit/8e4fe7c57a976f2ce9a6931687f4697d519111ec
    https://github.com/phpmyadmin/phpmyadmin/commit/7992beb8e42f2a4a3dab275b119d1ebd58e3b164
    https://github.com/phpmyadmin/phpmyadmin/commit/142e465c80a1fb3d71e214d29c566c15a416518d

* 3.5.x:
    https://github.com/phpmyadmin/phpmyadmin/commit/142e465c80a1fb3d71e214d29c566c15a416518d
    https://github.com/phpmyadmin/phpmyadmin/commit/63848b24389dfabda8306112e20742b3ff7b8b12
    https://github.com/phpmyadmin/phpmyadmin/commit/4cc91616057d7517df306fe27b291c9639493d88
    https://github.com/phpmyadmin/phpmyadmin/commit/5d49c44fb862bfdfb8205ff15e8469cfb1b1c5d9
    https://github.com/phpmyadmin/phpmyadmin/commit/2f93578e20fd422f922183254dd50318d03a3e24
    https://github.com/phpmyadmin/phpmyadmin/commit/8559162ebc8ce822fa01ac429a6aab08cfa4ceda
    https://github.com/phpmyadmin/phpmyadmin/commit/1c1e3dca2b0cdfe10615f51a73b7d00718ad8d4b
Comment 1 Jan Lieskovsky 2013-07-29 13:19:46 EDT
This issue affects the latest version of the phpMyAdmin package, as shipped with Fedora release of 18, 19, Fedora EPEL-6, and Fedora EPEL-5. Please schedule an update.
Comment 2 Jan Lieskovsky 2013-07-29 13:28:29 EDT
Created phpMyAdmin tracking bugs for this issue:

Affects: epel-5 [bug 989674]
Comment 3 Jan Lieskovsky 2013-07-29 13:36:45 EDT
Created phpMyAdmin tracking bugs for this issue:

Affects: fedora-all [bug 989678]
Affects: epel-6 [bug 989679]
Comment 5 Jan Lieskovsky 2013-07-30 05:08:34 EDT
Based on: http://www.openwall.com/lists/oss-security/2013/07/30/1 the CVE identifiers for PMASA-2013-12 got assigned as follows:

"Use CVE-2013-4998 for the path-disclosure issues affecting both 3.5.x
and 4.0.x (approximately three affected files).

Use CVE-2013-4999 for the path-disclosure issues affecting only
version 4.0.x (approximately two affected files).

Use CVE-2013-5000 for the path-disclosure issues affecting only
version 3.5.x (several affected files)."
Comment 6 Fedora Update System 2014-07-30 03:00:56 EDT
phpMyAdmin-4.2.6-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2014-07-30 03:02:28 EDT
phpMyAdmin-4.2.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2014-08-07 07:46:03 EDT
phpMyAdmin-4.0.10.1-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2014-10-09 15:55:04 EDT
phpMyAdmin4-4.0.10.3-2.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.