|
Message-ID: <4FABF4F7.3080501@redhat.com> Date: Thu, 10 May 2012 11:03:51 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi> Subject: Re: CVE-request: phpMyFAQ default password 1.3.2 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 05/10/2012 01:39 AM, Henri Salo wrote: > This is very old issue from 2003 without CVE-identifier. > > Description: > > By default, phpMyFAQ installs with a default password. An > unspecified account has an unspecified password which is publicly > known and documented. This allows attackers to trivially access the > program or system and gain privileged access. > > http://osvdb.org/show/osvdb/81714 > http://www.phpmyfaq.de/changelog.php > > Is there a general CVE-identifier for issues like default password, > which I think would be OK in case like this? If user upgraded > installation from old version to new this was not fixed in the > process. > > - Henri Salo I'll need at least the account name so I can confirm this. Or if you diff the code I'm guessing it will stand out easily. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPq/T3AAoJEBYNRVNeJnmTme0P/1q/22FTmG05Zd5XLE2Bbjcs 93uATy91vsqfRuv0kP9zOnZaMhn4gus5xo+42jAq/cvH+ewrLxYJjxVlIoimC4Pi QSsTP/FeNCgNP5zsvKMy/03ffBIQw2cuQwNQKbu7L9Vxuv2g8MJJBPLjkuylBO4P yg0j2/RtEMXzOEa+b4pPe0CBAEwOD6KNAvoEtK3018YYGG8csN/HqgVFkpFhJq+y wjF1ei2R+QzA5Ig0YduAbEn/zynuvNhLgj5RVWq58wHo0fi003tsWKRQvEaEXwr0 mz+Yg9fDp1tOb3UcvbMqc3w8LK4UyeXJjy5TEvS3kKwdRKTKTX9y6oqkJqEjebxA Nz/JciajoKp+xa0dXs/0TYvDvxYivuOAJR65OUPrPsNgsOOW4bUU5dMnnlFJ5t4T 38W8Co2B7ishu4BeG2AHcyS2xrS7o7GtOJbUSsaMn7L1HLwOS0L/YNQG92IaxJVf iRWAa4TonGQjdrl8tPtiT4hEZHkaGTZrC9Ym1VUWyZhu/j2N3Gy1CY5RoVi7jN1J KtTo3+BeQQyCLIVARnNXLdxLTHb6JHBO/ULZ9YwhbKJtUgjvdJqaSfau0Xcbj6or XTbaQ9kxohewDwjohKZSxdXjc8Nteoja1F6AnAsGA5kFuJqljF6UCfqwsT/d0gZc 3a4KLwqt+d+yfYd8ljWs =h+nZ -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.