Bug 443683 (CVE-2008-1924) - CVE-2008-1924 phpMyAdmin: Permission/information leak to access with apache rights
Summary: CVE-2008-1924 phpMyAdmin: Permission/information leak to access with apache r...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-1924
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-04-22 20:34 UTC by Robert Scheck
Modified: 2008-05-17 18:59 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-05-17 18:59:25 UTC
Embargoed:

Attachments (Terms of Use)

Description Robert Scheck 2008-04-22 20:34:01 UTC 
Upstream: phpMyAdmin
Announcement-ID: PMASA-2008-3
Date: 2008-04-22

Summary:
File disclosure on shared hosts via a crafted HTML.

Description:
Upstream received an advisory from Cezary Tomczak, and we wish to thank him for 
his work. It is possible to read the contents of any file that the web server's 
user can access. The exact mechanism to achieve this won't be disclosed.

Severity:
Upstream considers this vulnerability to be serious.

Mitigation factor:
If a user can upload on the same host where phpMyAdmin is running, a PHP script 
that can read files with the rights of the web server's user, the current 
advisory does not describe an additional threat.

Affected versions:
Versions before 2.11.5.2.

Solution:
Upgrade to phpMyAdmin 2.11.5.2 or newer.
References: Revision 11205
Comment 1 Fedora Update System 2008-04-22 21:30:49 UTC 
phpMyAdmin-2.11.5.2-1.fc7 has been submitted as an update for Fedora 7
Comment 2 Fedora Update System 2008-04-22 21:31:15 UTC 
phpMyAdmin-2.11.5.2-1.fc8 has been submitted as an update for Fedora 8
Note You need to log in before you can comment on or make changes to this bug.