Thijs Kinkhorst wrote: > Concerning these phpMyAdmin security issues the following: > > Thomas Babut wrote: > > 3 security issues were fixed with the new version of phpMyAdmin 2.9.1.1. > > All 3 issues affects all previous versions of phpMyAdmin. This also > > applies to Sarge. > > > > See this security announcements: > > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-7 > > This partially applies to sarge, but the part that applies is only > exploitable when register_globals = On. Is that setup security > supported? If it is, we can use the attached simple patch.
No, it's an unsupported setup. > This is a feature that was insecure by design: the X-Forwarded-For HTTP > header was used to determine the IP of a user to match it against an > allow/deny list; this HTTP header is of course easily settable by any > client. > > The solution is that the behaviour is changed and an extra configuration > parameter has been added. Is this suitable for sarge? See also patch. What functionality is referred to by "Bad IP Allow/Deny checking"? It is a black list protection against potentially malicious clients or brute force attacks? Cheers, Moritz -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]