security alert
This commit is contained in:
Marc Delisle
@@ -5,6 +5,9 @@ phpMyAdmin - Changelog
|
||||
$Id$
|
||||
$Source$
|
||||
|
||||
2003-07-01 Marc Delisle <lem9@users.sourceforge.net>
|
||||
* Documentation.html: faq 8.1 about security alert of 2003-06-18
|
||||
|
||||
2003-06-30 Marc Delisle <lem9@users.sourceforge.net>
|
||||
* lang/french: update
|
||||
|
||||
|
||||
@@ -2005,7 +2005,8 @@ To create a new, empty mimetype please see libraries/transformations/template_ge
|
||||
<a href="#faqmultiuser">Multi-user</a> -
|
||||
<a href="#faqbrowsers">Browsers</a> -
|
||||
<a href="#faqusing">Usage tips</a> -
|
||||
<a href="#faqproject">Project</a>
|
||||
<a href="#faqproject">Project</a> -
|
||||
<a href="#faqsecurity">Security</a>
|
||||
</p>
|
||||
|
||||
<a name="faqserver"></a><br />
|
||||
@@ -3318,6 +3319,62 @@ To create a new, empty mimetype please see libraries/transformations/template_ge
|
||||
Also, have a look at the
|
||||
<a href="#developers">Developers section</a>.
|
||||
</p>
|
||||
<a name="faqsecurity"></a><br />
|
||||
<h3>[8. Security ]</h3>
|
||||
|
||||
<h4>
|
||||
[8.1] Security alert, dated 2003-06-18.
|
||||
</h4>
|
||||
<p>
|
||||
Last update of this FAQ: 2003-07-01.
|
||||
<br /><br />
|
||||
The phpMyAdmin's development team received notice of this
|
||||
<a href="http://www.securityfocus.com/archive/1/325641" target="_blank">security alert.</a>
|
||||
<br /><br />
|
||||
|
||||
The team regrets that the author did not communicate with us before
|
||||
sending this alert. However, here is our current reply to the points mentionned:
|
||||
<br /><br />
|
||||
<ul>
|
||||
<li>"Directory transversal attack"
|
||||
<br /><br />
|
||||
|
||||
This problem had been fixed in version 2.5.0, even if the author reports
|
||||
the 2.5.2 development version as vulnerable, which we could not reproduce.
|
||||
<br /><br />
|
||||
</li>
|
||||
<li>"Remote local file retrieving"
|
||||
<br /><br />
|
||||
This is a misleading title, as the author tells in his text:
|
||||
"Note that you can't request files ( only dirs )".
|
||||
<br /><br />
|
||||
</li>
|
||||
|
||||
<li>"Remote internal directory listing"
|
||||
<br /><br />
|
||||
It was possible to retrieve the list of phpMyAdmin's directory (which we
|
||||
doubt can cause any damage), but we fixed this in the upcoming
|
||||
2.5.2 version.
|
||||
<br /><br />
|
||||
</li>
|
||||
|
||||
<li>"XSS and Path disclosures"
|
||||
<br /><br />
|
||||
Most of the XSS problems have been fixed in version 2.5.0. The rest
|
||||
have been fixed in the upcoming 2.5.2 version.
|
||||
<br /><br />
|
||||
We are currently looking at the Path disclosure issue.
|
||||
<br /><br />
|
||||
</li>
|
||||
<li>"Information encoding weakness"
|
||||
<br /><br />
|
||||
We believe that an exploit for this weakness would be difficult
|
||||
to achieve. However we are currently working to remove this weakness.
|
||||
<br /><br />
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
</p>
|
||||
|
||||
<!-- DEVELOPERS -->
|
||||
<a name="developers"></a><br />
|
||||
|
||||
Reference in New Issue
Block a user