Re: php codes injection in phpMyAdmin version 2.5.7.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: php codes injection in phpMyAdmin version 2.5.7.
From: Marc Delisle <DelislMa@xxxxxxxxxxxxxxxxxxxxxxx>
Date: 30 Jun 2004 19:43:11 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

In-Reply-To: <20040629025752.976.qmail@xxxxxxxxxxxxxxxxxxxxx>

The Internet, 2004-06-30

Greetings,

The phpMyAdmin development team announces
the availability of phpMyAdmin 2.5.7, patch level 1.
This version fixes the vulnerability dated 2004-06-29,
released on BUGTRAQ.
 
>From our Documentation.html, FAQ 8.2:
"We acknowledge that phpMyAdmin versions 2.5.1 to 2.5.7 are vulnerable to this 
problem,
 if each of the following conditions are met:

    * The Web server hosting phpMyAdmin is not running in safe mode.
    * In config.inc.php, $cfg['LeftFrameLight'] is set to FALSE (the default 
value of this parameter is TRUE).
    * There is no firewall blocking requests from the Web server to the 
attacking host."

We would like to put emphasis on the disappointment we feel when a bugreporter 
does not contact the authors of a software first, before posting any exploits. 
The common way to report this, is to give the developers a reasonable amount of 
time to respond to an exploit 
before it is made public.

Marc Delisle, for the team.

Prev by Date: (IE/SCOB) Switching Software Because of Bugs: Some Facts About Software and Security bugs
Next by Date: DSL router Prestige 650HW-31
Previous by thread: php codes injection in phpMyAdmin version 2.5.7.
Next by thread: Re: php codes injection in phpMyAdmin version 2.5.7.
Index(es):
- Date
- Thread