[Secure-testing-team] phpmyadmin update
Moritz Muehlenhoff
jmm at inutil.org
Tue May 8 22:12:23 UTC 2007
On Tue, May 08, 2007 at 06:33:40PM +0200, Florian Weimer wrote:
> * Thijs Kinkhorst:
>
> > - CVE-2007-1325 is a workaround for PHP issue CVE-2006-1549. That issue has
> > been fixed in PHP already, or would need to be fixed there. It's not an issue
> > for phpmyadmin specifically, and should be regarded as not relevant for us.
>
> Thanks for the explanation.
Hmm, I not sure about this. The issue at hand seems like a generic design issue
in PHP that's unlikely to be ever fixed inside the interpreter. I would assume
that limits to recursion depth would beed to be imposed application-specific
instead.
What's the outlined attack here? A database administrator being able to DoS
the webserver instance serving his phpmyadmin instance or being able to mess
up the MySQL database itself? If it's the former it appears harmless anyway.
Cheers,
Moritz
More information about the Secure-testing-team
mailing list