[TYPO3-UG Russia] Fwd: [TYPO3-announce] TYPO3 Security Bulletin TYPO3-20070716-2: Information Disclosure from Extension phpmyadmin
Michael Shigorin
mike at osdn.org.ua
Tue Jul 17 11:14:29 CEST 2007
----- Forwarded message from Lars Houmark <lars/typo3.org> -----
Date: Tue, 17 Jul 2007 00:01:06 +0200
From: Lars Houmark <lars/typo3.org>
To: typo3-announce/lists.netfielders.de, typo3-dev/lists.netfielders.de, typo3-english/lists.netfielders.de
Subject: [TYPO3-announce] TYPO3 Security Bulletin TYPO3-20070716-2: Information Disclosure from Extension phpmyadmin
Dear users of TYPO3,
An information disclosure issue has been found in the phpmyadmin
extension of TYPO3 that may give access to phpinfo() information in
special cases. The standalone version of phpmyadmin is not affected.
==== Component Type ====
Third party extension. This extension is not part of the TYPO3
default installation.
==== Affected Versions ====
phpmyadmin version 0.2.1 and all versions below (the standalone
version of phpmyadmin is not affected).
==== Vulnerability Type ====
Information Disclosure
==== Severity ====
Low
==== Problem Description ====
Caused by a bug in PhpMyAdmin, TYPO3 will disclose phpinfo() details
to an attacker.
The problem is fixed in phpmyadmin version 0.2.2. Additionally, TYPO3
4.1.2
and TYPO3 4.0.7 will make sure that this information is never displayed
disregarding any extension bugs.
==== Solution ====
An updated version is available from the TYPO3 extension manager or from
http://typo3.org/extensions/repository/view/phpmyadmin/0.2.2/
==== General advice ====
Follow the recommendations that are given in the TYPO3 Security
Cookbook.
Keep notice of the TYPO3 security bulletin page at http://typo3.org/
teams/security/security-bulletins/.
==== Credits ====
Credits go to Security Team member Henning Pingel who discovered this
issue, and to the author of the extension, Andreas Beutel, who
quickly fixed it.
Regards,
Lars Houmark
lars/typo3.org
----- End forwarded message -----
--
---- WBR, Michael Shigorin <mike at altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
More information about the TYPO3-russia
mailing list