Information Disclosure from phpmyadmin

2007-07-16T00:00:00
ID TYPO3-20070716-2
Type typo3
Reporter TYPO3 Association
Modified 2007-07-16T00:00:00

Description

An information disclosure issue has been found in the phpmyadmin extension of TYPO3 that may give access to phpinfo() information in special cases. The standalone version of phpmyadmin is not affected.

Component Type: Third party extension. This extension is not part of the TYPO3 default installation.

Affected Versions: phpmyadmin version 0.2.1 and all versions below (the standalone version of phpmyadmin is not affected).

Vulnerability Type: Information Disclosure

Severity: Low

Problem Description: Caused by a bug in PhpMyAdmin, TYPO3 may disclose phpinfo() details to an attacker.

The problem is fixed in phpmyadmin version 0.2.2. Additionally, TYPO3 4.1.2
and TYPO3 4.0.7 will make sure that this information is never displayed
disregarding any extension bugs.

Solution: An updated version is available from the TYPO3 extension manager or from
http://typo3.org/extensions/repository/view/phpmyadmin/0.2.2/

General advice: Follow the recommendations that are given in the <media 800 - external-link-new-window>TYPO3 Security Cookbook</media>.
Keep notice of the TYPO3 security bulletin page at http://typo3.org/teams/security/security-bulletins/.

Credits: Credits go to Security Team member Henning Pingel who discovered this issue, and to the author of the extension, Andreas Beutel, who quickly fixed it.