Re: [DSA 1824-1] New phpmyadmin packages fix several vulnerabilities

To: debian-security@lists.debian.org
Subject: Re: [DSA 1824-1] New phpmyadmin packages fix several vulnerabilities
From: Elias Oltmanns <eo@nebensachen.de>
Date: Fri, 26 Jun 2009 02:15:49 +0200
Message-id: <[🔎] 8763eju9xm.fsf@denkblock.local>
References: <20090625205552.06C3932682E@morgana.loeki.tv>

Hi folks,

Thijs Kinkhorst <thijs@debian.org> wrote:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1824-1                  security@debian.org
> http://www.debian.org/security/                          Thijs Kinkhorst
> June 25, 2009                         http://www.debian.org/security/faq
> ------------------------------------------------------------------------
>
> Package        : phpmyadmin
[...]
> CVE-2009-1151
>
>   Static code injection allows for a remote attacker to inject arbitrary
>   code into phpMyAdmin via the setup.php script. This script is in Debian
>   under normal circumstances protected via Apache authentication.
>   However, because of a recent worm based on this exploit, we are patching
>   it regardless, to also protect installations that somehow still expose
>   the setup.php script.

May I just point out that the setup.php script is in fact *not* really
protected in Debian? The problem is that it is by default accessible
using a standard password, thus making phpmyadmin vulnerable to remote
user attacks. It might be better not to create a default htpasswd.setup
and to advise the admin somehow to do so manually in order to get access
to setup.php.

Regards,

Elias

Reply to:

Prev by Date: Handling personal/self(WebOfTrust) pgp/gpg private keys.
Next by Date: Point release of Lenny
Previous by thread: Handling personal/self(WebOfTrust) pgp/gpg private keys.
Next by thread: Point release of Lenny
Index(es):
- Date
- Thread