160337 – dev-db/phpmyadmin: path disclosure (CVE-2007-0095)

Bug 160337 - dev-db/phpmyadmin: path disclosure (CVE-2007-0095)

Summary: dev-db/phpmyadmin: path disclosure (CVE-2007-0095)

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://xforce.iss.net/xforce/xfdb/31223
Whiteboard:	B4 [noglsa] jaervosz
Keywords:

Depends on:	175847
Blocks:
	Show dependency tree

Reported:	2007-01-05 16:36 UTC by Executioner
Modified:	2007-06-05 18:46 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Executioner 2007-01-05 16:36:01 UTC

phpMyAdmin could allow a remote attacker to obtain sensitive information. An attacker could send a specially-crafted URL request to the darkblue_orange/layout.inc.php script to cause an error message to be returned containing the full installation path. An attacker could use this information to launch further attacks against the affected system.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-01-06 13:01:28 UTC

web-apps please advise.

Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-01-14 21:36:03 UTC

another issue is already being handled: bug 161460.

Do we know what version fixes this path disclosure?

Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev

2007-01-22 19:38:09 UTC

since the mentioned file has not been modified in svn <http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/trunk/phpMyAdmin/themes/darkblue_orange/> for months, I guess the latest version is still affected

Comment 4 Executioner 2007-02-14 02:04:21 UTC

Doesn't look like 2.9.2 fixed this.
http://www.redhat.com/archives/fedora-security-list/2007-January/msg00031.html

Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-03-09 21:25:48 UTC

anybody knows if 2.10.0.2 fixes this?

Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-03-25 10:40:08 UTC

According to: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=221694 this is not fixed in 2.10.0.2.

Comment 7 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-05-03 17:41:44 UTC

upstream released 2.10.1, seems that it fixes it.

Comment 8 Renat Lumpau (RETIRED) gentoo-dev

2007-05-28 00:53:14 UTC

2.10.1 is in the tree

Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-05-28 06:40:01 UTC

Thx Renat.

Handling stable marking on bug #175847.

Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-06-05 18:46:39 UTC

Closing with bug 175847. Feel free to reopen if you disagree.