On Tue, August 25, 2009 15:58, Michele Bonera wrote: > Il Tuesday 25 August 2009 14:12:01 Nico Golde ha scritto: > > >> * Michele Bonera <mich...@bonera.biz> [2009-08-25 13:43]: >> >>> Package: phpmyadmin >>> Version: 4:2.9.1.1-11 >>> Severity: grave >>> Tags: security >>> Justification: user security hole >>> >>> >>> After install, you can access >>> http://{host}/phpmyadmin/scripts/setup.php >>> without entering any password. By adding a new host in the >>> configuration, an attacker can submit malicius code to execute >>> commands as www-data user. >> How can an attacker add a new host in the configuration? >> > > Sorry, I meant a new server in the servers list.
I am unclear on how this would work. You say you are using the etch version. It asks for setup.php credentials and then installs the relevant Apache configuration to fence the setup.php off. This process works for me. Can you please detail what it is that causes the lack of authentication? Can you reproduce this on a clean install or after a package purge? Also even if you would be able to access setup.php, how would the code execution work exactly? Please provide an example. cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
