Package: phpmyadmin Version: 4:2.9.1.1-7 Severity: critical Tags: security Justification: causes serious data loss
Hello, The debian mysql package configure the root user with no password by default. It is not a problem (and rather usefull as long as you know what you do) as long as only trusted users have access to the console. When phpmyadmin is installed, it access mysql via localhost so it is possible to log as root with no password via the web interface. When installed with a mysql server with no root password, I think this package should either : - ask the user to set a root password for mysql - or make at least a security warning to the user installing phpmyadmin Even, if this problem is easily guessable when you first log into phpmyadmin, I think it should be corrected before phpmyadmin installation because : - of the short time in which you server could be comprised (even if it is unlikely) - the fact it could be forgotten (it happened to me with a hosting server, fortunately, nobody else found it) With regards, Sylvain Avril -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.24.5-grsec-xxxx-grs-ipv4-64 Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Versions of packages phpmyadmin depends on: ii debconf [debconf-2.0] 1.5.11etch2 Debian configuration management sy ii libapache2-mod-php4 6:4.4.4-8+etch6 server-side, HTML-embedded scripti ii perl 5.8.8-7etch3 Larry Wall's Practical Extraction ii php4 6:4.4.4-8+etch6 server-side, HTML-embedded scripti ii php4-mysql 6:4.4.4-8+etch6 MySQL module for php4 ii php5-mysql 5.2.0-8+etch11 MySQL module for php5 ii ucf 2.0020 Update Configuration File: preserv Versions of packages phpmyadmin recommends: ii apache2-mpm-prefork [htt 2.2.3-4+etch5 Traditional model for Apache HTTPD ii php4-mcrypt 6:4.4.4-8+etch6 MCrypt module for php4 ii php5-gd 5.2.0-8+etch11 GD module for php5 -- debconf information excluded -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
