Date: Mon, 15 Sep 2008 20:48:03 -0400 (EDT) From: "Steven M. Christey" <coley@...us.mitre.org> To: oss-security@...ts.openwall.com cc: coley@...re.org Subject: Re: phpMyAdmin code execution (CVE request) On Mon, 15 Sep 2008, Thijs Kinkhorst wrote: > "- (220.127.116.11) [security] Code execution vulnerability" > > http://www.phpmyadmin.net/home_page/downloads.php?relnotes=1 > > "Welcome to this security update for phpMyAdmin 2.11.9. > Details will follow on http://phpmyadmin.net." > > http://www.nabble.com/phpMyAdmin-18.104.22.168-is-released-td19497113.html Use CVE-2008-4096, to be filled in later. FYI to PHP auditors out there - add create_function() to your list of dangerous functions. I've seen a couple reports of vulnerabilities related to it, and some PHP developer advocates singing its praises ("it's like eval, but it's different!") - Steve
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.