lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20040630194311.15169.qmail@www.securityfocus.com>
Date: 30 Jun 2004 19:43:11 -0000
From: Marc Delisle <DelislMa@...legeSherbrooke.qc.ca>
To: bugtraq@...urityfocus.com
Subject: Re: php codes injection in phpMyAdmin version 2.5.7.


In-Reply-To: <20040629025752.976.qmail@....securityfocus.com>

The Internet, 2004-06-30

Greetings,

The phpMyAdmin development team announces
the availability of phpMyAdmin 2.5.7, patch level 1.
This version fixes the vulnerability dated 2004-06-29,
released on BUGTRAQ.
 
From our Documentation.html, FAQ 8.2:
"We acknowledge that phpMyAdmin versions 2.5.1 to 2.5.7 are vulnerable to this problem,
 if each of the following conditions are met:

    * The Web server hosting phpMyAdmin is not running in safe mode.
    * In config.inc.php, $cfg['LeftFrameLight'] is set to FALSE (the default value of this parameter is TRUE).
    * There is no firewall blocking requests from the Web server to the attacking host."

We would like to put emphasis on the disappointment we feel when a bugreporter does not contact the authors of a software first, before posting any exploits. The common way to report this, is to give the developers a reasonable amount of time to respond to an exploit 
before it is made public.

Marc Delisle, for the team.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ