phpMyAdmin

• PMASA-2010-3
• PMASA-2010-2
• PMASA-2010-1
• PMASA-2009-6
• PMASA-2009-5
• PMASA-2009-4
• PMASA-2009-3
• PMASA-2009-2
• PMASA-2009-1
• PMASA-2008-10
• PMASA-2008-9
• PMASA-2008-8
• PMASA-2008-7
• PMASA-2008-6
• PMASA-2008-5
• PMASA-2008-4
• PMASA-2008-3
• PMASA-2008-2
• PMASA-2008-1
• PMASA-2007-8
• PMASA-2007-7
• PMASA-2007-6
• PMASA-2007-5
• PMASA-2007-4
• PMASA-2007-3
• PMASA-2007-2
• PMASA-2007-1
• PMASA-2006-9
• PMASA-2006-8
• PMASA-2006-7
• PMASA-2006-6
• PMASA-2006-5
• PMASA-2006-4
• PMASA-2006-3
• PMASA-2006-2
• PMASA-2006-1
• PMASA-2005-9
• PMASA-2005-8
• PMASA-2005-7
• PMASA-2005-6
• PMASA-2005-5
• PMASA-2005-4
• PMASA-2005-3
• PMASA-2005-2
• PMASA-2005-1
• PMASA-2004-4
• PMASA-2004-3
• PMASA-2004-2
• PMASA-2004-1
• PMASA-2003-1

PMASA-2008-3

Announcement-ID: PMASA-2008-3

Date: 2008-04-22

Updated: 2008-04-27

Summary

File disclosure on shared hosts via a crafted HTTP POST request.

Description

We received an advisory from Cezary Tomczak, and we wish to thank him for his work. It is possible to read the contents of any file that the web server's user can access. The exact mechanism to achieve this won't be disclosed.

Severity

We consider this vulnerability to be serious.

Affected Versions

Versions before 2.11.5.2.

Solution

Upgrade to phpMyAdmin 2.11.5.2 or newer.

References

Cezary Tomczak's advisory

Assigned CVE ids: CVE-2008-1924

Patches

Revision 11205
Revision 11211

For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net.