oss-security - Re: CVE request: phpmyadmin (PMASA-2008-2)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [day] [month] [year] [list]

Date: Mon, 31 Mar 2008 17:40:31 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Hanno Böck <hanno@...eck.de>
cc: oss-security@...ts.openwall.com,
        "Steven M. Christey" <coley@...us.mitre.org>
Subject: Re: CVE request: phpmyadmin (PMASA-2008-2)


======================================================
Name: CVE-2008-1567
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1567
Reference: MISC:http://sourceforge.net/tracker/index.php?func=detail&aid=1909711&group_id=23067&atid=377408
Reference: CONFIRM:http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-2
Reference: FRSIRT:ADV-2008-1037
Reference: URL:http://www.frsirt.com/english/advisories/2008/1037/references
Reference: SECUNIA:29613
Reference: URL:http://secunia.com/advisories/29613

phpMyAdmin before 2.11.5.1 stores the (1) MySQL username, (2)
password, and the (2) Blowfish secret key in plaintext in the /tmp
Session file, which allows local users to obtain sensitive
information.

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.