lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <43A6F92B.8000402@cegepsherbrooke.qc.ca>
Date: Mon, 19 Dec 2005 13:17:15 -0500
From: Marc Delisle <Marc.Delisle@...epsherbrooke.qc.ca>
To: bugtraq@...urityfocus.com
Subject: about phpMyAdmin's server_privileges.php announced vulnerability


phpMyAdmin's team answer to vulnerability announcement
of Dec 17, 2005
[ http://www.securityfocus.com/archive/1/419709/30/0/threaded ]

We don't think that this is a real threat. The server_privileges.php 
script checks at the beginning if the user is privileged. So, for this 
attack to work, the victim's phpMyAdmin installation would have to be 
set as to allow any user to auto-login as a privileged user! If this is 
the case, this phpMyAdmin installation is wide open and this situation 
has to be fixed by the person who configured phpMyAdmin.

Marc Delisle, for the team


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ