Hi, * Michele Bonera <[email protected]> [2009-08-25 13:43]: > Package: phpmyadmin > Version: 4:2.9.1.1-11 > Severity: grave > Tags: security > Justification: user security hole > > After install, you can access http://{host}/phpmyadmin/scripts/setup.php > without entering any password. > By adding a new host in the configuration, an attacker can submit malicius > code to execute commands as > www-data user.
How can an attacker add a new host in the configuration? Cheers Nico -- Nico Golde - http://www.ngolde.de - [email protected] - GPG: 0xA0A0AAAA For security reasons, all text in this mail is double-rot13 encrypted.
pgp46Zohg2y2p.pgp
Description: PGP signature
