Re: [DSA 1824-1] New phpmyadmin packages fix several vulnerabilities
Hi folks,
Thijs Kinkhorst <thijs@debian.org> wrote:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1824-1 security@debian.org
> http://www.debian.org/security/ Thijs Kinkhorst
> June 25, 2009 http://www.debian.org/security/faq
> ------------------------------------------------------------------------
>
> Package : phpmyadmin
[...]
> CVE-2009-1151
>
> Static code injection allows for a remote attacker to inject arbitrary
> code into phpMyAdmin via the setup.php script. This script is in Debian
> under normal circumstances protected via Apache authentication.
> However, because of a recent worm based on this exploit, we are patching
> it regardless, to also protect installations that somehow still expose
> the setup.php script.
May I just point out that the setup.php script is in fact *not* really
protected in Debian? The problem is that it is by default accessible
using a standard password, thus making phpmyadmin vulnerable to remote
user attacks. It might be better not to create a default htpasswd.setup
and to advise the admin somehow to do so manually in order to get access
to setup.php.
Regards,
Elias
Reply to: