Daily Archives: July 3, 2009

phpmyadmin in ubuntu now being exploited en-masse

Update: ubuntu patched this issue a couple of days after this post. If you’re reading, thanks guys! You just made my job a lot easier 🙂

At some point, I might try to look at helping maintain this, and other packages like it in the ubuntu archive. No idea how, though a colleague may be able to help…


The versions of phpmyadmin in ubuntu (at least Dapper – Intrepid) are susceptible to arbitrary code execution, as the web-server’s user. A bug1 was reported on the 15th of June about this issue, and marked as high priority on the 21st.

The phpmyadmin team patched this problem in their software on May the 24th. 2

Debian patched this in their system on the 25th of June.

I tried talking to people on #ubuntu-security about this problem. They said “motu” and “we’re not interested, its in universe”. I tried talking to people in #motu, and they talked about work-arounds.

The main questions now are:

  • Please can someone work on the bug?
  • Why did it take so long between upstream report and launchpad report?
  • Why has the bug been left to the point where it is getting automatically exploited, en-masse? 3
  1. https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/387215
  2. http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php
  3. http://seclists.org/fulldisclosure/2009/Jul/0021.html

BBC – Mixed results for green IT goals

BBC NEWS | Technology | Mixed results for green IT goals.

Nice new BBC news article, about how the majority of govt~ IT managers don’t know that they’re supposed to be reducing their carbon footprint.

One of the hints is that the “proliferation” of “air conditioning of server rooms” (among other things) is the cause.

I’d like to see you run a datacentre (tonns of computer servers, really big pipe to the internet etc) without airconditioning. If we turn ours off for 10 minutes, the temperature gets swealtering. 30 minutes and old harddrives start failing. Dumb.