From a7272448770122fabdf88ce17772c90b2efb5649 Mon Sep 17 00:00:00 2001 From: Marc Delisle Date: Wed, 12 Jul 2006 14:15:41 +0000 Subject: [PATCH] patch #1519351, security alerts and documentation --- ChangeLog | 4 +++ Documentation.html | 81 ++-------------------------------------------- 2 files changed, 7 insertions(+), 78 deletions(-) diff --git a/ChangeLog b/ChangeLog index c49fb0b27..ac755a64d 100755 --- a/ChangeLog +++ b/ChangeLog @@ -6,6 +6,10 @@ $Id$ $Source$ +2006-07-12 Marc Delisle + * Documentation.html: patch #1519351, security alerts, + thanks to Juergen Wind - windkiel + 2006-07-09 Michal Čihař * Documentation.html: Readd accidentally removed quotes. diff --git a/Documentation.html b/Documentation.html index 90c344489..547be08e5 100755 --- a/Documentation.html +++ b/Documentation.html @@ -3769,87 +3769,12 @@ chmod o+rwx tmp

Security

- Security alert, dated 2003-06-18.

+ Where can I get information about the security alerts issued for phpMyAdmin? -

Last update of this FAQ: - 2003-07-22.

- - The phpMyAdmin development team received notice of this security alert: - http://www.securityfocus.com/archive/1/325641. -

- - The team regrets that the author did not communicate with us before - sending this alert. However, here is our current reply to the points mentioned: +

Please refer to + http://www.phpmyadmin.net/home_page/security.php

-
  • "Directory transversal attack"

    - - This problem had been fixed in version 2.5.0, even if the author reports - the 2.5.2 development version as vulnerable, which we could not reproduce. -
    • - -
  • "Remote local file retrieving"

    - - This is a misleading title, as the author tells in his text: - "Note that you can't request files ( only dirs )".
    • - -
  • "Remote internal directory listing"

    - - It was possible to retrieve the list of phpMyAdmin's directory (which we - doubt can cause any damage), but we fixed this in the 2.5.2 version.
    • - -
  • "XSS and Path disclosures"

    - - Most of the XSS problems have been fixed in version 2.5.0. The rest - have been fixed in the 2.5.2 version.

    - - We believe that the Path disclosures problems have also been fixed - in version 2.5.2.
    • - -
  • "Information encoding weakness"

    - - We believe that an exploit for this weakness would be difficult - to achieve. However version 2.5.2 now encrypts the password - with the well-known blowfish algorithm.
    • -
- -

- Security alert, dated 2004-06-29.

- -

Last update of this FAQ: 2004-06-30. -

- The phpMyAdmin development team received notice of this security alert: - - http://securityfocus.com/archive/1/367486/2004-06-26/2004-07-02/0 -

- We would like to put emphasis on the disappointment we feel when a - bugreporter does not contact the authors of a software first, before - posting any exploits. The common way to report this, is to give the - developers a reasonable amount of time to respond to an exploit before - it is made public.

- - We acknowledge that phpMyAdmin versions 2.5.1 to 2.5.7 are vulnerable - to this problem, if each of the following conditions are met:

- -
  • The Web server hosting phpMyAdmin is not running in safe mode.
    • -
  • In config.inc.php, - $cfg['LeftFrameLight'] - is set to FALSE - (the default value of this parameter is TRUE).
    • -
  • There is no firewall blocking requests from the Web server to the - attacking host.
    • -
- -

Version 2.5.7-pl1 was released with a fix for this vulnerability.

- -

- About new security alerts -

- -

Please refer to - http://www.phpmyadmin.net - for the complete list of security alerts.

-

Developers Information