phpmyadmin version and vulnerabilities

[janeks]

Hi!

As I look from version info than phpmyadmin obtained with apt-get is not the latest version.
It looks for me that it is better go to phpmyadmin pages and get the latest version...

Recently I got cracked start page of phpmyadmin on my bubba.

I just had my web server open to WAN. I had locked my phpmyadmin access only to lan within /etc/phpmyadmin/config.inc.php

Could the cracker got to read that config file above?

Other things looks untouched. Should I check some other things to trace are there no othe things cracked stolled?

brgds
Janeks

[carl]

Hi!

As I look from version info than phpmyadmin obtained with apt-get is not the latest version.
It looks for me that it is better go to phpmyadmin pages and get the latest version...

Recently I got cracked start page of phpmyadmin on my bubba.

I just had my web server open to WAN. I had locked my phpmyadmin access only to lan within /etc/phpmyadmin/config.inc.php

Could the cracker got to read that config file above?

Other things looks untouched. Should I check some other things to trace are there no othe things cracked stolled?

brgds
Janeks

For packages we directly uses we sync with debian security, but for other packages, we only defined the normal debian upstream line in the sources.list;
Add "deb http://security.debian.org/ etch/updates main" to be able to download security updates as well; following fixes are made into security (don't know if any of these are related to your problem):

phpmyadmin (4:2.9.1.1-13) oldstable-security; urgency=low

* Fix inverted logic in documentation of new script.

-- Thijs Kinkhorst <thijs@debian.org> Sun, 25 Oct 2009 12:25:47 +0100
phpmyadmin (4:2.9.1.1-12) oldstable-security; urgency=high

* Upload to oldstable to fix security issues.
* Cross site scripting (CVE-2009-3696, closes: #552194).
* Allow saving of configuration from setup script only after
explicit action from administrator (closes: #535044, #543460).

-- Thijs Kinkhorst <thijs@debian.org> Sat, 24 Oct 2009 15:06:53 +0200
phpmyadmin (4:2.9.1.1-11) oldstable-security; urgency=high

* Upload to oldstable to fix security issues.
* Cross site scripting in export page using cookies.
[CVE-2009-1150, PMASA-2009-2]
* Static code injection in setup.php. This file should normally
be protected by Apache authentication.
[CVE-2009-1151, PMASA-2009-3]

-- Thijs Kinkhorst <thijs@debian.org> Thu, 25 Jun 2009 22:28:24 +0200

[janeks]

Thanks Carl for your answer!
I am a bit lost in those Apached directives and files. I tried to setup apache to allow requests for phpmyadmin only from LAN, but without success. I tried

Code: Select all

Order Deny,Allow
Deny from all
Allow from 192.168.1

In /etc/phpmyadmin/htaccess and in /etc/phpmyadmin/apache.conf under directory directive and also in /etc/apache2/httpd.conf, but without success...


brgds
Janeks

[carl]

Thanks Carl for your answer!
I am a bit lost in those Apached directives and files. I tried to setup apache to allow requests for phpmyadmin only from LAN, but without success. I tried

Code: Select all

Order Deny,Allow
Deny from all
Allow from 192.168.1

In /etc/phpmyadmin/htaccess and in /etc/phpmyadmin/apache.conf under directory directive and also in /etc/apache2/httpd.conf, but without success...


brgds
Janeks

I assume your LAN is 192.168.1.0/24 (instead of the default 192.168.10.0/24)? if that is correct, then above should work (if it's placed in the correct place)

[asparak]

The other tactic you could try is just to set up the phpmyadmin directory with .htaccess following the Howto on this forum