PMASA-2008-2

Announcement-ID: PMASA-2008-2

Date: 2008-03-29

Summary

Credentials disclosure on shared hosts via session data

Description

We received an advisory from Jim Hermann, and we wish to thank him for his work. phpMyAdmin saves sensitive information like the MySQL username and password and the Blowfish secret key in session data, which might be unprotected on a shared host.

Severity

We consider this vulnerability to be serious.

Affected Versions

Versions before 2.11.5.1.

Solution

Upgrade to phpMyAdmin 2.11.5.1 or newer.

References

Assigned CVE ids: CVE-2008-1567

CWE ids: CWE-661 CWE-522

Patches

The following commits have been made to fix this issue:

More information

For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.

Announcements