|
phpMyAdmin Username/Password Session File Information Disclosure
|
|
|
|
|
Secunia Advisory:
|
SA29613
|
|
|
Release Date:
|
2008-03-31
|
|
Last Update:
|
2008-04-01
|
|
|
Critical:
|
Less critical
|
|
Impact:
|
Exposure of sensitive information
|
|
Where:
|
Local system
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | phpMyAdmin 2.x
|
| | CVE reference: | CVE-2008-1567 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
Jim Hermann has discovered a vulnerability in phpMyAdmin, which can potentially be exploited by malicious users to disclose sensitive information.
The MySQL username, password, and the Blowfish secret key are stored as plain text in session files. This can potentially be exploited e.g. by users on shared hosts to access that information.
The vulnerability is confirmed in version 2.11.5 and reported in all previous versions.
Solution:
Update to version 2.11.5.1.
Provided and/or discovered by:
Jim Hermann
Changelog:
2008-04-01: Added CVE reference.
Original Advisory:
PMASA-2008-2:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-2
Jim Hermann:
http://sourceforge.net/tracker/index....11&group_id=23067&atid=377408
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
32 Related Secunia Security Advisories, displaying 10
|
|
|
1. phpMyAdmin Shared Host Information Disclosure
|
|
2. phpMyAdmin "$_REQUEST" SQL Injection Vulnerability
|
|
3. phpMyAdmin "convcharset" Cross-Site Scripting
|
|
4. phpMyAdmin Database Name SQL Injection and Script Insertion
|
|
5. phpMyAdmin "server_status.php" Cross-Site Scripting
|
|
6. phpMyAdmin "setup.php" Cross-Site Scripting Vulnerability
|
|
7. phpMyAdmin Cross-Site Scripting Vulnerabilities
|
|
8. phpMyAdmin Cross-Site Scripting and HTTP Response Splitting
|
|
9. phpMyAdmin Script Insertion and IP Address Check Bypass
|
|
10. phpMyAdmin UTF-7 Cross-Site Scripting Vulnerability
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
