On Fri, Aug 21, 2009 at 11:29:17PM +0200, Rainer Duffner wrote: > > Am 21.08.2009 um 23:24 schrieb R P Herrold: > > > On Fri, 21 Aug 2009, Gregory P. Ennis wrote: > > > >> place. I looked like the hacker downloaded his paypal spoof files > >> into > >> a subdirectory of /var/www/phpmyadmin > >> > >> I am running 5.3 with all current updates. > > > > and third party software as well. > > > > We do not ship phpmyadmin, and clearly and repeatedly caution > > against it in the IRC channel -- its CVE history is > > appalling, and people are just not willing to remove it, or > > limit it to just a specific IP (not that I expect its ACL > > model to work either) > > Is there an alternative? > I do think that it's the Internet Explorer of OSS. > The General Public loves it, the admins hate it - but use it > nevertheless.... > Because there's no alternative. > Nope, but you can take steps to prevent (or make it more difficult) for people that shouldn't be accessing it from accessing it. Apache allow from, etc... basic authentication, make sure you're using HTTPS and selinux. Ray