Hi folks, Thijs Kinkhorst <[email protected]> wrote: > ------------------------------------------------------------------------ > Debian Security Advisory DSA-1824-1 [email protected] > http://www.debian.org/security/ Thijs Kinkhorst > June 25, 2009 http://www.debian.org/security/faq > ------------------------------------------------------------------------ > > Package : phpmyadmin [...] > CVE-2009-1151 > > Static code injection allows for a remote attacker to inject arbitrary > code into phpMyAdmin via the setup.php script. This script is in Debian > under normal circumstances protected via Apache authentication. > However, because of a recent worm based on this exploit, we are patching > it regardless, to also protect installations that somehow still expose > the setup.php script.
May I just point out that the setup.php script is in fact *not* really protected in Debian? The problem is that it is by default accessible using a standard password, thus making phpmyadmin vulnerable to remote user attacks. It might be better not to create a default htpasswd.setup and to advise the admin somehow to do so manually in order to get access to setup.php. Regards, Elias -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
