<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
Opa Marcelo,<br>
<br>
Show de bola. Vou testar esse repo mas se forem muitas dependências
vou dar uma aguardada no CentOS 6 e enquanto isso estou protegendo<br>
o phpmyadmin com acesso digest ao diretório.<br>
<br>
Quem quiser fazer o mesmo aqui vai a dica:<br>
<br>
1) confirme no httpd.conf se está habilitado o digest:<br>
<br>
LoadModule auth_digest_module modules/mod_auth_digest.so<br>
<br>
2) criar o arquivo de senhas com um usuário:<br>
<br>
# htdigest -c /etc/httpd/conf/digest.conf "Acesso Restrito" gondim<br>
<br>
"gondim" seria o user que vc quer criar. O -c vc só usar uma vez
para criar o arquivo.<br>
<br>
3) definir a proteção no diretório:<br>
<br>
<Directory "/usr/share/phpmyadmin"><br>
# Order Deny,Allow<br>
# Deny from all<br>
# Allow from 192.168.10.0/24<br>
AuthType Digest<br>
AuthName "Acesso Restrito"<br>
AuthUserFile /etc/httpd/conf/digest.conf<br>
AuthDigestProvider file<br>
Require valid-user<br>
# Require user gondim<br>
# Satisfy any<br>
</Directory><br>
<br>
Alias /phpmyadmin /usr/share/phpmyadmin<br>
Alias /phpMyAdmin /usr/share/phpmyadmin<br>
Alias /mysqladmin /usr/share/phpmyadmin<br>
<br>
Aí no caso pode editar o /etc/httpd/conf.d/phpmyadmin.conf e fazer
essa alteração. :)<br>
<br>
<br>
Em 17-01-2011 07:21, Marcelo Subtil Marcal escreveu:
<blockquote
cite="mid:AANLkTimUwvcLXWs295X6yAx32AhNPq63b5k-q+FoZeSm@mail.gmail.com"
type="cite">Olá Marcelo,
<div><br>
</div>
<div>
<div>Encontrei o pacote phpMyAdmin-3.3.9 apenas no repositório
REMI, mas com dependências do php-5.2.0.</div>
<div><br>
</div>
<div>Caso interesse em configurar esse repositório:</div>
<div><br>
</div>
<div># rpm -Uvh <a moz-do-not-send="true"
href="http://rpms.famillecollet.com/el5.i386/remi-release-5-8.el5.remi.noarch.rpm">http://rpms.famillecollet.com/el5.i386/remi-release-5-8.el5.remi.noarch.rpm</a></div>
<div><br>
</div>
<div>[]'s</div>
<div><br clear="all">
<div title="signature">
<div dir="ltr">
<div style="padding: 5px 0pt; font-family:
arial,sans-serif; font-size: 13.3px;"><span
style="color: rgb(0, 0, 0); border-collapse:
collapse;">
<div style="display: inline ! important;">
<span style="font-size: medium;"><em><strong><span
style="color: rgb(51, 102, 255);">Marcelo
Subtil Marçal</span></strong></em></span></div>
</span><br>
<span style="color: rgb(0, 0, 0); border-collapse:
collapse;">
<div><span style="font-size: xx-small;"><span
style="font-style: italic;"><a
moz-do-not-send="true" style="color: rgb(7,
77, 143); font-family: verdana,sans-serif;"
href="mailto:marcelo@smarcal.com"
target="_blank"><span style="font-size:
x-small;">marcelo@smarcal.com<br>
</span></a></span></span><span
style="border-collapse: separate;">
<div style="padding: 5px 0pt; font-family:
arial,sans-serif; font-size: 13.3px; display:
inline ! important;" dir="ltr"><a
moz-do-not-send="true" style="color: rgb(7,
77, 143); padding: 0pt 2px;"
href="http://twitter.com/msmarcal"
target="_blank"><img moz-do-not-send="true"
style="vertical-align: middle;
padding-bottom: 5px;"
src="http://www.images.wisestamp.com/twitter.png"
alt="Twitter" height="16" width="16"
border="0"></a><a moz-do-not-send="true"
style="color: rgb(7, 77, 143); padding: 0pt
2px;"
href="http://www.google.com/profiles/msmarcal"
target="_blank"><img moz-do-not-send="true"
style="vertical-align: middle;
padding-bottom: 5px;"
src="http://www.images.wisestamp.com/google.png"
alt="Google" height="16" width="16"
border="0"></a><a moz-do-not-send="true"
style="color: rgb(7, 77, 143); padding: 0pt
2px;"
href="http://www.linkedin.com/in/msmarcal"
target="_blank"><img moz-do-not-send="true"
style="vertical-align: middle;
padding-bottom: 5px;"
src="http://www.images.wisestamp.com/linkedin.png"
alt="Linkedin" height="16" width="16"
border="0"></a><a moz-do-not-send="true"
style="color: rgb(7, 77, 143); padding: 0pt
2px;" href="http://www.last.fm/user/msmarcal"
target="_blank"><img moz-do-not-send="true"
style="vertical-align: middle;
padding-bottom: 5px;"
src="http://www.images.wisestamp.com/lastfm.png"
alt="Last.fm" height="16" width="16"
border="0"></a><a moz-do-not-send="true"
style="color: rgb(7, 77, 143); padding: 0pt
2px;"
href="http://www.orkut.com.br/Profile.aspx?uid=11425061924826698897"
target="_blank"><img moz-do-not-send="true"
style="vertical-align: middle;
padding-bottom: 5px;"
src="http://www.images.wisestamp.com/orkut.png"
alt="Orkut" height="16" width="16"
border="0"></a><a moz-do-not-send="true"
style="color: rgb(7, 77, 143); padding: 0pt
2px;" href="http://www.facebook.com/msmarcal"
target="_blank"><img moz-do-not-send="true"
style="vertical-align: middle;
padding-bottom: 5px;"
src="http://www.images.wisestamp.com/facebook.png"
alt="Facebook" height="16" width="16"
border="0"></a><a moz-do-not-send="true"
style="color: rgb(7, 77, 143); padding: 0pt
2px;"
href="http://www.youtube.com/user/msmarcal"
target="_blank"><img moz-do-not-send="true"
style="vertical-align: middle;
padding-bottom: 5px;"
src="http://www.images.wisestamp.com/youtube.png"
alt="Youtube" height="16" width="16"
border="0"></a><a moz-do-not-send="true"
style="color: rgb(7, 77, 143); padding: 0pt
2px;" href="http://blog.smarcal.com/feed/"
target="_blank"><img moz-do-not-send="true"
style="vertical-align: middle;
padding-bottom: 5px;"
src="http://www.images.wisestamp.com/blogRSS.png"
alt="Blog RSS" height="16" width="16"
border="0"></a></div>
</span></div>
</span></div>
</div>
</div>
<br>
<br>
<br>
<div class="gmail_quote">On Sun, Jan 16, 2011 at 4:58 PM,
Marcelo Gondim <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:gondim@linuxinfo.com.br">gondim@linuxinfo.com.br</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
Olá pessoal,<br>
<br>
O PHPMyAdmin nas versões que vi tanto do rpmforge quanto
do EPEL estão<br>
vulneráveis à esses problemas:<br>
<br>
CVE-2010-4329<br>
<br>
Cross site scripting was possible in search, that
allowed<br>
a remote attacker to inject arbitrary web script or
HTML.<br>
<br>
CVE-2010-4480<br>
<br>
Cross site scripting was possible in errors, that
allowed<br>
a remote attacker to inject arbitrary web script or
HTML.<br>
<br>
CVE-2010-4481<br>
<br>
Display of PHP's phpinfo() function was available to
world, but only<br>
if this functionality had been enabled (defaults to
off). This may<br>
leak some information about the host system.<br>
<br>
Um exemplo de como testar:<br>
<br>
<a moz-do-not-send="true"
href="http://127.0.0.1/phpmyadmin/error.php?type=This+is+a+client+side+hole+evidence&error=Client+side+attack+via+characters+injection[br]It%27s+possible+use+some+special+tags+too[br]Found+by+Tiger+Security+Tiger+Team+-+[a%40http://www.tigersecurity.it%40_self]This%20Is%20a%20Link[%2Fa]"
target="_blank">http://127.0.0.1/phpmyadmin/error.php?type=This+is+a+client+side+hole+evidence&error=Client+side+attack+via+characters+injection[br]It%27s+possible+use+some+special+tags+too[br]Found+by+Tiger+Security+Tiger+Team+-+[a%40http://www.tigersecurity.it%40_self]This%20Is%20a%20Link[%2Fa]</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<pre wrap="">
_______________________________________________
CentOS-pt-br mailing list
<a class="moz-txt-link-abbreviated" href="mailto:CentOS-pt-br@centos.org">CentOS-pt-br@centos.org</a>
<a class="moz-txt-link-freetext" href="http://lists.centos.org/mailman/listinfo/centos-pt-br">http://lists.centos.org/mailman/listinfo/centos-pt-br</a>
</pre>
</blockquote>
<br>
</body>
</html>