=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN109
_____________________________________________________________________

DATE                      : 03/04/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running phpMyAdmin.

======================================================================
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-2
______________________________________________________________________

phpMyAdmin security announcement PMASA-2008-2

Announcement-ID: PMASA-2008-2
Date: 2008-03-29

Summary:
Credentials disclosure on shared hosts via session data

Description:
We received an advisory from Jim Hermann, and we wish to thank him
for his work. phpMyAdmin saves sensitive information like the MySQL
username and password and the Blowfish secret key in session data,
which might be unprotected on a shared host.

Severity:
We consider this vulnerability to be serious.

Affected versions:
Versions before 2.11.5.1.

Solution:
Upgrade to phpMyAdmin 2.11.5.1 or newer.

References:
Revision 11175

For further information and in case of questions, please contact
the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================