security alert

This commit is contained in:
Marc Delisle
2003-07-01 11:49:21 +00:00
parent ac4e4cc0fb
commit aa2346e346
2 changed files with 61 additions and 1 deletions

View File

@@ -5,6 +5,9 @@ phpMyAdmin - Changelog
$Id$
$Source$
2003-07-01 Marc Delisle <lem9@users.sourceforge.net>
* Documentation.html: faq 8.1 about security alert of 2003-06-18
2003-06-30 Marc Delisle <lem9@users.sourceforge.net>
* lang/french: update

View File

@@ -2005,7 +2005,8 @@ To create a new, empty mimetype please see libraries/transformations/template_ge
<a href="#faqmultiuser">Multi-user</a> &nbsp;-&nbsp;
<a href="#faqbrowsers">Browsers</a> &nbsp;-&nbsp;
<a href="#faqusing">Usage tips</a> &nbsp;-&nbsp;
<a href="#faqproject">Project</a>
<a href="#faqproject">Project</a> &nbsp;-&nbsp;
<a href="#faqsecurity">Security</a>
</p>
<a name="faqserver"></a><br />
@@ -3318,6 +3319,62 @@ To create a new, empty mimetype please see libraries/transformations/template_ge
Also, have a look at the
<a href="#developers">Developers section</a>.
</p>
<a name="faqsecurity"></a><br />
<h3>[8. Security ]</h3>
<h4>
[8.1] Security alert, dated 2003-06-18.
</h4>
<p>
Last update of this FAQ: 2003-07-01.
<br /><br />
The phpMyAdmin's development team received notice of this
<a href="http://www.securityfocus.com/archive/1/325641" target="_blank">security alert.</a>
<br /><br />
The team regrets that the author did not communicate with us before
sending this alert. However, here is our current reply to the points mentionned:
<br /><br />
<ul>
<li>&quot;Directory transversal attack&quot;
<br /><br />
This problem had been fixed in version 2.5.0, even if the author reports
the 2.5.2 development version as vulnerable, which we could not reproduce.
<br /><br />
</li>
<li>&quot;Remote local file retrieving&quot;
<br /><br />
This is a misleading title, as the author tells in his text:
&quot;Note that you can't request files ( only dirs )&quot;.
<br /><br />
</li>
<li>&quot;Remote internal directory listing&quot;
<br /><br />
It was possible to retrieve the list of phpMyAdmin's directory (which we
doubt can cause any damage), but we fixed this in the upcoming
2.5.2 version.
<br /><br />
</li>
<li>&quot;XSS and Path disclosures&quot;
<br /><br />
Most of the XSS problems have been fixed in version 2.5.0. The rest
have been fixed in the upcoming 2.5.2 version.
<br /><br />
We are currently looking at the Path disclosure issue.
<br /><br />
</li>
<li>&quot;Information encoding weakness&quot;
<br /><br />
We believe that an exploit for this weakness would be difficult
to achieve. However we are currently working to remove this weakness.
<br /><br />
</li>
</ul>
</p>
<!-- DEVELOPERS -->
<a name="developers"></a><br />