Re: CVE-request: phpMyFAQ default password 1.3.2

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 05/10/2012 01:39 AM, Henri Salo wrote:
> This is very old issue from 2003 without CVE-identifier.
>
> Description:
>
> By default, phpMyFAQ installs with a default password. An
> unspecified account has an unspecified password which is publicly
> known and documented. This allows attackers to trivially access the
> program or system and gain privileged access.
>
> http://osvdb.org/show/osvdb/81714 
> http://www.phpmyfaq.de/changelog.php
>
> Is there a general CVE-identifier for issues like default password,
> which I think would be OK in case like this? If user upgraded
> installation from old version to new this was not fixed in the
> process.
>
> - Henri Salo

I'll need at least the account name so I can confirm this. Or if you
diff the code I'm guessing it will stand out easily.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPq/T3AAoJEBYNRVNeJnmTme0P/1q/22FTmG05Zd5XLE2Bbjcs
93uATy91vsqfRuv0kP9zOnZaMhn4gus5xo+42jAq/cvH+ewrLxYJjxVlIoimC4Pi
QSsTP/FeNCgNP5zsvKMy/03ffBIQw2cuQwNQKbu7L9Vxuv2g8MJJBPLjkuylBO4P
yg0j2/RtEMXzOEa+b4pPe0CBAEwOD6KNAvoEtK3018YYGG8csN/HqgVFkpFhJq+y
wjF1ei2R+QzA5Ig0YduAbEn/zynuvNhLgj5RVWq58wHo0fi003tsWKRQvEaEXwr0
mz+Yg9fDp1tOb3UcvbMqc3w8LK4UyeXJjy5TEvS3kKwdRKTKTX9y6oqkJqEjebxA
Nz/JciajoKp+xa0dXs/0TYvDvxYivuOAJR65OUPrPsNgsOOW4bUU5dMnnlFJ5t4T
38W8Co2B7ishu4BeG2AHcyS2xrS7o7GtOJbUSsaMn7L1HLwOS0L/YNQG92IaxJVf
iRWAa4TonGQjdrl8tPtiT4hEZHkaGTZrC9Ym1VUWyZhu/j2N3Gy1CY5RoVi7jN1J
KtTo3+BeQQyCLIVARnNXLdxLTHb6JHBO/ULZ9YwhbKJtUgjvdJqaSfau0Xcbj6or
XTbaQ9kxohewDwjohKZSxdXjc8Nteoja1F6AnAsGA5kFuJqljF6UCfqwsT/d0gZc
3a4KLwqt+d+yfYd8ljWs
=h+nZ
-----END PGP SIGNATURE-----