Rather than rely on the install person to do the right thing after this is installed by Virtualmin, the installer itself should do so.
After installation is complete, the setup directory should be removed or secured. Lots of brute force scripts look for the setup directory and do various bad things with it. An example, can be found here:
http://secunia.com/advisories/34727/
While that particular problem may be resolved, it does not mean there aren't more. Note the comment in the report "NOTE: Successful exploitation requires that installation best-practices have not been followed and the setup scripts have not been deleted after a successful installation.".
So, the install script should be changed to remove this directory.
phpmyadmin is a dangerous program!
Comments
Submitted by JamieCameron on Wed, 02/24/2010 - 12:56 Comment #1
Thanks, I didn't know about that directory. This will be removed in Virtualmin 3.78.
Submitted by Issues on Wed, 03/10/2010 - 14:22 Comment #2
Automatically closed -- issue fixed for 2 weeks with no activity.
Submitted by kenlyle on Sun, 03/14/2010 - 11:14 Comment #3
What about retroactive patching of installed PHPMyAdmin instances?
Submitted by JamieCameron on Sun, 03/14/2010 - 13:11 Comment #4
The directory will be removed when you do the next phpMyAdmin upgrade from within Virtualmin.