[TYPO3] TYPO3 Security Bulletin TYPO3-20070716-2: Information Disclosure from Extension phpmyadmin

Lars Houmark lars at typo3.org
Tue Jul 17 00:01:06 CEST 2007

Dear users of TYPO3,

An information disclosure issue has been found in the phpmyadmin  
extension of TYPO3 that may give access to phpinfo() information in  
special cases. The standalone version of phpmyadmin is not affected.

==== Component Type ====
Third party extension. This extension is not part of the TYPO3  
default installation.

==== Affected Versions ====
phpmyadmin version 0.2.1 and all versions below (the standalone  
version of phpmyadmin is not affected).

==== Vulnerability Type ====
Information Disclosure

==== Severity ====

==== Problem Description ====
Caused by a bug in PhpMyAdmin, TYPO3 will disclose phpinfo() details  
to an attacker.

The problem is fixed in phpmyadmin version 0.2.2. Additionally, TYPO3  
and TYPO3 4.0.7 will make sure that this information is never displayed
disregarding any extension bugs.

==== Solution ====
An updated version is available from the TYPO3 extension manager or from

==== General advice ====
Follow the recommendations that are given in the TYPO3 Security  
Keep notice of the TYPO3 security bulletin page at http://typo3.org/ 

==== Credits ====
Credits go to Security Team member Henning Pingel who discovered this  
issue, and to the author of the extension, Andreas Beutel, who  
quickly fixed it.


Lars Houmark
lars at typo3.org

More information about the TYPO3-english mailing list