about phpMyAdmin's server_privileges.php announced vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: about phpMyAdmin's server_privileges.php announced vulnerability
From: Marc Delisle <Marc.Delisle@xxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 19 Dec 2005 13:17:15 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla Thunderbird 1.0.6 (Windows/20050716)

phpMyAdmin's team answer to vulnerability announcement
of Dec 17, 2005
[ http://www.securityfocus.com/archive/1/419709/30/0/threaded ]

We don't think that this is a real threat. The server_privileges.phpscript checks at the beginning if the user is privileged. So, for thisattack to work, the victim's phpMyAdmin installation would have to beset as to allow any user to auto-login as a privileged user! If this isthe case, this phpMyAdmin installation is wide open and this situationhas to be fixed by the person who configured phpMyAdmin.


Marc Delisle, for the team

Prev by Date: Making unidirectional VLAN and PVLAN jumping bidirectional
Next by Date: [security bulletin] SSRT051026 rev. 1 - HP-UX running WBEM Services Denial of Service (DoS)
Previous by thread: Re: Making unidirectional VLAN and PVLAN jumping bidirectional
Next by thread: [security bulletin] SSRT051026 rev. 1 - HP-UX running WBEM Services Denial of Service (DoS)
Index(es):
- Date
- Thread