Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 15 Sep 2008 20:48:03 -0400 (EDT)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: oss-security@...ts.openwall.com
cc: coley@...re.org
Subject: Re: phpMyAdmin code execution (CVE request)


On Mon, 15 Sep 2008, Thijs Kinkhorst wrote:

> "- (2.11.9.1)  [security] Code execution vulnerability"
>
> http://www.phpmyadmin.net/home_page/downloads.php?relnotes=1
>
> "Welcome to this security update for phpMyAdmin 2.11.9.
> Details will follow on http://phpmyadmin.net."
>
> http://www.nabble.com/phpMyAdmin-2.11.9.1-is-released-td19497113.html

Use CVE-2008-4096, to be filled in later.

FYI to PHP auditors out there - add create_function() to your list of
dangerous functions.  I've seen a couple reports of vulnerabilities
related to it, and some PHP developer advocates singing its praises ("it's
like eval, but it's different!")

- Steve

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.