On Thu, Jun 25, 2009 at 10:09 PM, Thijs Kinkhorst<[email protected]> wrote: > On tongersdei 25 Juny 2009, Olaf van der Spek wrote: >> I've no idea how the phpinfo() ended up in this file, but I've seen it on >> multiple servers. Could this be a vulnerability in phpMyAdmin? Or some bug >> in the Debian package? > > Hi Olaf, > > As it seems this is the result of a phpMyAdmin worm that was released > recently: http://isc.sans.org/diary.html?storyid=6619 > It uses a vulnerability in the setup.php script. We did not patch that > vulnerability earlier because in Debian, the setup.php script is supposed to > be protected by a htaccess-type setup. Still it seems that some installations > in one way or the other have an exposed setup.php. We will be releasing > updated packages as soon as possible to also protect this group.
I've symlinked /var/www/phpmyadmin to /usr/share/phpmyadmin, so no access rules (it's Lighttpd). I wonder if there's further damage. Olaf -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
