Thijs Kinkhorst wrote:
> Concerning these phpMyAdmin security issues the following:
>
> Thomas Babut wrote:
> > 3 security issues were fixed with the new version of phpMyAdmin 2.9.1.1.
> > All 3 issues affects all previous versions of phpMyAdmin. This also
> > applies to Sarge.
> >
> > See this security announcements:
> > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-7
>
> This partially applies to sarge, but the part that applies is only
> exploitable when register_globals = On. Is that setup security
> supported? If it is, we can use the attached simple patch.
No, it's an unsupported setup.
> This is a feature that was insecure by design: the X-Forwarded-For HTTP
> header was used to determine the IP of a user to match it against an
> allow/deny list; this HTTP header is of course easily settable by any
> client.
>
> The solution is that the behaviour is changed and an extra configuration
> parameter has been added. Is this suitable for sarge? See also patch.
What functionality is referred to by "Bad IP Allow/Deny checking"? It is a
black list protection against potentially malicious clients or brute
force attacks?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
