[TYPO3-announce] TYPO3 Security Bulletin TYPO3-20070716-2: Information Disclosure from Extension phpmyadmin
Lars Houmark
lars at typo3.org
Tue Jul 17 00:01:06 CEST 2007
Dear users of TYPO3,
An information disclosure issue has been found in the phpmyadmin
extension of TYPO3 that may give access to phpinfo() information in
special cases. The standalone version of phpmyadmin is not affected.
==== Component Type ====
Third party extension. This extension is not part of the TYPO3
default installation.
==== Affected Versions ====
phpmyadmin version 0.2.1 and all versions below (the standalone
version of phpmyadmin is not affected).
==== Vulnerability Type ====
Information Disclosure
==== Severity ====
Low
==== Problem Description ====
Caused by a bug in PhpMyAdmin, TYPO3 will disclose phpinfo() details
to an attacker.
The problem is fixed in phpmyadmin version 0.2.2. Additionally, TYPO3
4.1.2
and TYPO3 4.0.7 will make sure that this information is never displayed
disregarding any extension bugs.
==== Solution ====
An updated version is available from the TYPO3 extension manager or from
http://typo3.org/extensions/repository/view/phpmyadmin/0.2.2/
==== General advice ====
Follow the recommendations that are given in the TYPO3 Security
Cookbook.
Keep notice of the TYPO3 security bulletin page at http://typo3.org/
teams/security/security-bulletins/.
==== Credits ====
Credits go to Security Team member Henning Pingel who discovered this
issue, and to the author of the extension, Andreas Beutel, who
quickly fixed it.
Regards,
Lars Houmark
lars at typo3.org
More information about the TYPO3-announce
mailing list