PMASA-2008-2
Announcement-ID: PMASA-2008-2
Date: 2008-03-29
Summary
Credentials disclosure on shared hosts via session data
Description
We received an advisory from Jim Hermann, and we wish to thank him for his work. phpMyAdmin saves sensitive information like the MySQL username and password and the Blowfish secret key in session data, which might be unprotected on a shared host.
Severity
We consider this vulnerability to be serious.
Affected Versions
Versions before 2.11.5.1.
Solution
Upgrade to phpMyAdmin 2.11.5.1 or newer.
References
Assigned CVE IDs: CVE-2008-1567
Patches
The following commits have been made to fix this issue:
More information
For further information and in case of questions, please contact the phpMyAdmin security team at security@phpmyadmin.net.