Hi folks,
Thijs Kinkhorst <
thijs@...> wrote:
> ------------------------------------------------------------------------
> Debian Security Advisory DSA-1824-1
security@...
>
http://www.debian.org/security/ Thijs Kinkhorst
> June 25, 2009
http://www.debian.org/security/faq> ------------------------------------------------------------------------
>
> Package : phpmyadmin
[...]
> CVE-2009-1151
>
> Static code injection allows for a remote attacker to inject arbitrary
> code into phpMyAdmin via the setup.php script. This script is in Debian
> under normal circumstances protected via Apache authentication.
> However, because of a recent worm based on this exploit, we are patching
> it regardless, to also protect installations that somehow still expose
> the setup.php script.
May I just point out that the setup.php script is in fact *not* really
protected in Debian? The problem is that it is by default accessible
using a standard password, thus making phpmyadmin vulnerable to remote
user attacks. It might be better not to create a default htpasswd.setup
and to advise the admin somehow to do so manually in order to get access
to setup.php.
Regards,
Elias
--
To UNSUBSCRIBE, email to
debian-security-REQUEST@...
with a subject of "unsubscribe". Trouble? Contact
listmaster@...
