[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [DSA 1824-1] New phpmyadmin packages fix several vulnerabilities

Hi folks,

Thijs Kinkhorst <thijs@debian.org> wrote:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1824-1                  security@debian.org
> http://www.debian.org/security/                          Thijs Kinkhorst
> June 25, 2009                         http://www.debian.org/security/faq
> ------------------------------------------------------------------------
> Package        : phpmyadmin
> CVE-2009-1151
>   Static code injection allows for a remote attacker to inject arbitrary
>   code into phpMyAdmin via the setup.php script. This script is in Debian
>   under normal circumstances protected via Apache authentication.
>   However, because of a recent worm based on this exploit, we are patching
>   it regardless, to also protect installations that somehow still expose
>   the setup.php script.

May I just point out that the setup.php script is in fact *not* really
protected in Debian? The problem is that it is by default accessible
using a standard password, thus making phpmyadmin vulnerable to remote
user attacks. It might be better not to create a default htpasswd.setup
and to advise the admin somehow to do so manually in order to get access
to setup.php.



Reply to: