Submitted by isdahlc on Sat, 09/10/2011 - 09:18 Pro Licensee
Guys,
Is there a way to have the phpMyAdmin installation script "lock down" the scripts/ directory on installation so the /phpmyadmin/scripts/setup.php vulnerability is eliminated?
This is a notification form McAfee Secure scanning service.
Thanks
Craig
Status:
Closed (fixed)
Comments
Submitted by JamieCameron on Sat, 09/10/2011 - 11:27 Comment #1
Sure, I will have the installer do this in the next release.
By the way, VIrtualmin supports phpMyAdmin 3.4.4 which doesn't appear to have that vulnerable
setup.phpscript.Submitted by isdahlc on Sat, 09/10/2011 - 14:05 Pro Licensee Comment #2
v3.4.3.1 is the latest I see in Virtualmin GPL - is that update only available in Pro version?
Submitted by JamieCameron on Sat, 09/10/2011 - 23:05 Comment #3
Are you running Virtualmin GPL version 3.87? Because it definitely includes an installer for phpMyAdmin version 3.4.3.1.
Submitted by isdahlc on Mon, 09/12/2011 - 06:41 Pro Licensee Comment #4
I've tried a couple time to reply with an attachment but am unable to upload, it just say's uploading forever but never finishes.
In any event, W are running Virtualmin version 3.87.gpl GPL and the only 2 phpMyAdmin options available to me via "scripts" are 3.4.3.1 and 2.11.11.3.
Submitted by andreychek on Mon, 09/12/2011 - 09:39 Comment #5
Jamie, in both Virtualmin GPL and Virtualmin Pro, I can confirm that the version of phpMyAdmin that's available is 3.4.3.1, and not 3.4.4.
That's using Virtualmin 3.87, and not using the updated script repositories.
Submitted by JamieCameron on Mon, 09/12/2011 - 11:06 Comment #6
My mistake, Virtualmin 3.88 will include an installer for phpMyAdmin 3.4.4.
However, phpMyAdmin 3.4.3.1 doesn't appear to include the vulnerable
scripts/setup.phpfile.Submitted by isdahlc on Mon, 09/12/2011 - 15:42 Pro Licensee Comment #7
However, phpMyAdmin 3.4.3.1 doesn't appear to include the vulnerable scripts/setup.php file.
Yea, I thought upgrading would resolve the issue but we are still receiving the PCI compliance warning... Running phpMyAdmin 3.4.3.1.
Submitted by JamieCameron on Mon, 09/12/2011 - 16:16 Comment #8
Does that file still exist under your phpMyAdmin install directory? When upgrading, Virtualmin doesn't delete old files .. so you may have to instead un-install phpMyAdmin and then re-install with the same settings.
Submitted by isdahlc on Tue, 09/13/2011 - 13:32 Pro Licensee Comment #9
That was really odd. There was a manually installed version of phpmyadmin which we moved to tmp/ then installed using the script w/in VM so technically it was a "clean" installation the first time around. I deleted then reinstalled using the scripts and it seems to be corrected!
Thanks!
Craig
Submitted by Issues on Tue, 09/27/2011 - 15:22 Comment #10
Automatically closed -- issue fixed for 2 weeks with no activity.