File disclosure on shared hosts via a crafted HTTP POST request.
We received an advisory from Cezary Tomczak, and we wish to thank him for his work. It is possible to read the contents of any file that the web server's user can access. The exact mechanism to achieve this won't be disclosed.
We consider this vulnerability to be serious.
If a user can upload on the same host where phpMyAdmin is running, a PHP script that can read files with the rights of the web server's user, the current advisory does not describe an additional threat.
Versions before 220.127.116.11.
Upgrade to phpMyAdmin 18.104.22.168 or newer.
Assigned CVE ids: CVE-2008-1924
The following commits have been made to fix this issue:
For further information and in case of questions, please contact the phpMyAdmin team. Our website is phpmyadmin.net.