Hi Dne Mon, 29 Jun 2009 14:07:50 +0200 Thijs Kinkhorst <th...@debian.org> napsal(a):
> Ah right. I don't think there's a way we can realistically do anything about
> an already-compromised installation. That is a general truth for any
> vulnerability: how can we know to what extent the attacker has influenced the
> system?
>
> We could release a fix of config.inc.php which rejects requests specific to
> the worm that was released. But this is an incomplete fix necessarily.
> Wouldn't that bring a false sense of security?
Well most problems come from the fact, that setup script is not
protected, when user does not use our config snippets for webserver
(otherwise the setup script would be password protected and it would
not be an issue). In this case we can try to check for some things
(like usage of system()), but you're right, this would be incomplete
fix.
Anyway we should somehow protect against such situations (unprotected
setup script which can change configuration). Maybe making
/var/lib/phpmyadmin/config.inc.php writable for www-data only if user
has enabled our snippets through debconf?
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
signature.asc
Description: PGP signature
