Package: phpmyadmin Version: 4:2.6.2-1 Severity: normal
The current permissions of the configuration files are set to world readable. This is a problem because it means that any database access passwords stored here are readable to everyone on the system. At a very minimum the group should be set to www-data for all files in this directory and the world-readable should be turned off. It should be noted that any process that is also running on the same server will be able to read the files in this directory from within a script executed by the web-server. Of course the latter issue means that someone who has permission to write/upload scripts can compromise these files, but people who currently have login access can see those files. I suppose an argument could be made that by making it world readable, the security implications are obvious. Perhaps adding a README-security file in the same directory could warn new administrators. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.11-1-686 Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Versions of packages phpmyadmin depends on: ii apache [httpd] 1.3.33-4 versatile, high-performance HTTP s ii debconf 1.4.30.13 Debian configuration management sy ii php4 4:4.3.10-13 server-side, HTML-embedded scripti ii php4-cgi 4:4.3.10-13 server-side, HTML-embedded scripti ii php4-mysql 4:4.3.10-13 MySQL module for php4 ii ucf 1.17 Update Configuration File: preserv -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
