Bug 741377 - (CVE-2011-3699) CVE-2011-3699 php-adodb: installation path disclosure via a direct request to a .php file
CVE-2011-3699 php-adodb: installation path disclosure via a direct request to...
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 741378 741379
  Show dependency treegraph
Reported: 2011-09-26 13:38 EDT by Vincent Danen
Modified: 2011-09-26 17:42 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-09-26 17:42:15 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Vincent Danen 2011-09-26 13:38:27 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-3699 to
the following vulnerability:

Name: CVE-2011-3699
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3699
Assigned: 20110923
Reference: http://www.openwall.com/lists/oss-security/2011/06/27/6
Reference: http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/%21_README
Reference: http://code.google.com/p/inspathx/source/browse/trunk/paths_vuln/adodb

John Lim ADOdb Library for PHP 5.11 allows remote attackers to obtain
sensitive information via a direct request to a .php file, which
reveals the installation path in an error message, as demonstrated by
tests/test-active-record.php and certain other files.
Comment 1 Vincent Danen 2011-09-26 13:39:28 EDT
Created php-adodb tracking bugs for this issue

Affects: fedora-all [bug 741378]
Affects: epel-all [bug 741379]
Comment 2 Gianluca Sforna 2011-09-26 14:00:14 EDT
I am sorry but I need to ask: how an attacker is going to access those files? they are not in the webroot so I can't really see how you can request them directly.

Am I missing something?
Comment 3 Vincent Danen 2011-09-26 16:28:11 EDT
So the Fedora installation takes care not to install them to the webroot?  If that is the case, then likely we do not need to address this.  Do you know if any other files expose the path information like that file does?

(Sorry, I did not have a chance to look too closely, there were 120+ CVEs assigned for this kind of flaw)
Comment 4 Gianluca Sforna 2011-09-26 17:08:34 EDT
Yes, I just double checked and all php files in the package (including tests ) ends up in /usr/share/php/adodb which is not under the web root.

It is still probably a good idea to remove the test files from the main package, I'll probably do it in the next update
Comment 5 Vincent Danen 2011-09-26 17:42:15 EDT
Great, thanks for checking.  I'll close these bugs as NOTABUG then.

Note You need to log in before you can comment on or make changes to this bug.