Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 10 May 2012 11:03:51 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>
Subject: Re: CVE-request: phpMyFAQ default password 1.3.2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/10/2012 01:39 AM, Henri Salo wrote:
> This is very old issue from 2003 without CVE-identifier.
> 
> Description:
> 
> By default, phpMyFAQ installs with a default password. An
> unspecified account has an unspecified password which is publicly
> known and documented. This allows attackers to trivially access the
> program or system and gain privileged access.
> 
> http://osvdb.org/show/osvdb/81714 
> http://www.phpmyfaq.de/changelog.php
> 
> Is there a general CVE-identifier for issues like default password,
> which I think would be OK in case like this? If user upgraded
> installation from old version to new this was not fixed in the
> process.
> 
> - Henri Salo

I'll need at least the account name so I can confirm this. Or if you
diff the code I'm guessing it will stand out easily.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPq/T3AAoJEBYNRVNeJnmTme0P/1q/22FTmG05Zd5XLE2Bbjcs
93uATy91vsqfRuv0kP9zOnZaMhn4gus5xo+42jAq/cvH+ewrLxYJjxVlIoimC4Pi
QSsTP/FeNCgNP5zsvKMy/03ffBIQw2cuQwNQKbu7L9Vxuv2g8MJJBPLjkuylBO4P
yg0j2/RtEMXzOEa+b4pPe0CBAEwOD6KNAvoEtK3018YYGG8csN/HqgVFkpFhJq+y
wjF1ei2R+QzA5Ig0YduAbEn/zynuvNhLgj5RVWq58wHo0fi003tsWKRQvEaEXwr0
mz+Yg9fDp1tOb3UcvbMqc3w8LK4UyeXJjy5TEvS3kKwdRKTKTX9y6oqkJqEjebxA
Nz/JciajoKp+xa0dXs/0TYvDvxYivuOAJR65OUPrPsNgsOOW4bUU5dMnnlFJ5t4T
38W8Co2B7ishu4BeG2AHcyS2xrS7o7GtOJbUSsaMn7L1HLwOS0L/YNQG92IaxJVf
iRWAa4TonGQjdrl8tPtiT4hEZHkaGTZrC9Ym1VUWyZhu/j2N3Gy1CY5RoVi7jN1J
KtTo3+BeQQyCLIVARnNXLdxLTHb6JHBO/ULZ9YwhbKJtUgjvdJqaSfau0Xcbj6or
XTbaQ9kxohewDwjohKZSxdXjc8Nteoja1F6AnAsGA5kFuJqljF6UCfqwsT/d0gZc
3a4KLwqt+d+yfYd8ljWs
=h+nZ
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.