CVE-2008-1924

NameCVE-2008-1924
DescriptionUnspecified vulnerability in phpMyAdmin before 2.11.5.2, when running on shared hosts, allows remote authenticated users with CREATE table permissions to read arbitrary files via a crafted HTTP POST request, related to use of an undefined UploadDir variable.
SourceCVE (at NVD; LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-1557-1
NVD severitylow (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
phpmyadmin (PTS)wheezy (security), wheezy4:3.4.11.1-2+deb7u2fixed
jessie (security), jessie4:4.2.12-2+deb8u1fixed
stretch4:4.5.5.1-2fixed
sid4:4.6.0-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
phpmyadminsource(unstable)4:2.11.5.2-1low
phpmyadminsourceetch4:2.9.1.1-7lowDSA-1557-1

Notes

PMASA-2008-3
http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/QA_2_9/phpMyAdmin/libraries/tbl_replace_fields.inc.php?r1=11211&r2=11210&pathrev=11211

Search for package or bug name: Reporting problems