[35558] in bugtraq
Re: php codes injection in phpMyAdmin version 2.5.7.
daemon@ATHENA.MIT.EDU (Marc Delisle)
Thu Jul 1 12:49:30 2004
Date: 30 Jun 2004 19:43:11 -0000
Message-ID: <20040630194311.15169.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Marc Delisle <DelislMa@CollegeSherbrooke.qc.ca>
To: bugtraq@securityfocus.com
In-Reply-To: <20040629025752.976.qmail@www.securityfocus.com>
The Internet, 2004-06-30
Greetings,
The phpMyAdmin development team announces
the availability of phpMyAdmin 2.5.7, patch level 1.
This version fixes the vulnerability dated 2004-06-29,
released on BUGTRAQ.
From our Documentation.html, FAQ 8.2:
"We acknowledge that phpMyAdmin versions 2.5.1 to 2.5.7 are vulnerable to this problem,
if each of the following conditions are met:
* The Web server hosting phpMyAdmin is not running in safe mode.
* In config.inc.php, $cfg['LeftFrameLight'] is set to FALSE (the default value of this parameter is TRUE).
* There is no firewall blocking requests from the Web server to the attacking host."
We would like to put emphasis on the disappointment we feel when a bugreporter does not contact the authors of a software first, before posting any exploits. The common way to report this, is to give the developers a reasonable amount of time to respond to an exploit
before it is made public.
Marc Delisle, for the team.
