Hi Guys,
I've just had a major security hole reported to me by
Colin Keigher (AnimeFreak) <animefreak(a)users.sourceforge.net>
It relates to how some sites have PMA set up (they have username
and password hardcoded, without any .htaccess protection).
Basically, by searching on Google for "Welcome to phpMyAdmin" or it's
translated equivilents, you can find a lot of PMA installations. You can
put the version number in there as well, like "Welcome to phpMyAdmin
2.3.0-rc1"
Here is a sample URL to search:
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome+to+phpMyAd…
With using some of these URL's you can do stuff like:
http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
Here is a front page:
http://garfield.vet.fnt.hvu.nl/counter/myadmin/
And other nefarious things. I found a few sites where I could access their
entire database with full rights, even some where they have configured the
user to root and I could change the mysql database.
This is what we need to do to fix it:
1. All served up pages should contain directives to instruct search robots
not to index the files. This will stop so many sites being listed in the
search engines.
2. We should deprecate the user/password standard login, or add a bit of
technology to it. We should throw up a login page of our own, that should
authenticate against a user/password pair in an array inside the
configuration file. It might be possible to keep the automatic login of
user/password, but it should not be enabled by default, for security.
And the configuration option to turn that unsecure method back on should
have huge warnings around it.
--
Robin Hugh Johnson
E-Mail : robbat2(a)orbis-terrarum.net
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ# : 30269588 or 41961639
Hi list,
please read this mail I recieved a few hours ago.
Alexander
----- Original Message -----
From: "Lukas Smith" <smith(a)dybnet.de>
To: <rabus(a)bugfixes.info>
Sent: Tuesday, August 13, 2002 12:12 AM
Subject: phpMyAdmin and MDB/Metabase
Hi,
I am the author of MDB
(http://cvs.php.net/co.php/pear/MDB/Readme.txt?r=1.17)
MDB (taken from Metabase) features an RDBMS independent xml schema
management. I am getting close to a 1.0 release of MDB this month. But
the xml schema format has been stable for quite some time.
It would be cool if there would be some cooperation with the phpMyAdmin
project.
Anyways something that MDB supports which Metabase only currently has in
beta is reverse engineering of existing databases (currently only for
MySQL). Since its impossible to perfectly map MySQL datatypes to MDB
datatypes (for example is int(1) just an integer field with length 1 or
actually a Boolean field). So there needs to be some "interactive" app
to handle this.
This is just one area where I could see cooperation.
Another would be to use MDB's schema management features (dumping to and
updating from an xml schema) or displaying MDB types instead of MySQL
types.
I know the scope of MDB is beyond "just" MySQL. I don't know how close
the cooperation is with the other php*Admin projects. But this is
obviously something where cooperation would be great.
I am mailing you because according to the credits you were responsible
to the current xml dump code. If this proposal does not interest you,
yet you know someone that more be interested please forward this mail to
this person.
Thx in advance ..
Regards,
Lukas Smith
smith(a)dybnet.de
_______________________________
DybNet Internet Solutions GbR
Reuchlinstr. 10-11
Gebäude 4 1.OG Raum 6 (4.1.6)
10553 Berlin
Germany
Tel. : +49 30 83 22 50 00
Fax : +49 30 83 22 50 07
www.dybnet.de info(a)dybnet.de
Hi list,
There is a serious bug in 2.2.7 (#594031) that makes this version partly
useless.
I have already merged the fix in CVS: sql.php3 is the only file that is
affected.
Would it be possible to release a 2.2.7-pl1 silently with the corrected file
inside?
I'm sorry for that. I really don't know how such a stupid bug could get into
the code.
Alexander
At 13:12 12.08.2002 -0700, you wrote:
>On Mon, 12 Aug 2002, Marc Delisle wrote:
> > > On Mon, 12 Aug 2002, Marc Delisle wrote:
> > > > > I've just merged a fix against that, but it needs some testing
> since I do
> > > > > not have a machine here which is affected by this securety hole.
> > > > you won't like me, but I think we should wait to include a fix for a
> > > > "hole" until a developer can reproduce it.
> > >
> > > I'm going to set up a copy of PMA that exhibits the security hole for us
> > > to test out bug. Give me a day or two, as I have some more pressing work
> > > at the moment.
> > Robin,
> >
> > the "goto" problem?
> >
> > Marc
>I've checked out the goto problem, and you were right, it is fixed in the
>recent releases. It now limits you to files only in the phpMyAdmin install
>directory. Which can still be a problem in itself I think.
>
>On checking out the other problem with systems totally open using the
>config mechanism, try out this series of SQL Commands:
>
>First time around:
>CREATE TABLE testB ( t mediumtext );
>LOAD DATA INFILE '/home/robbat2/public_html/PMA/config.inc.php' INTO TABLE
>testB FIELDS TERMINATED BY '\n' LINES TERMINATED BY '\n';
>
>Where you need to change the path of the file, and the 'TERMINATED BY'
>parts for your own systems.
>
>When that completes,
>I ran this:
>SELECT * FROM testB WHERE t like '%Server%' AND (t like '%user%' or t like
>'%password%');
>
>To get just the PMA authentication data.
>
>Of course, this exploit requires that the user have the FILE privilege.
AND Create Rights on MYSQL as well ;-)) at least somethere ;-)
>This would apply to all cases where PMA has been set up with the user as
>root, or anybody else with the FILE privilege.
>
>I'm carrying on looking for more holes along these lines.
>
>--
>Robin Hugh Johnson
>E-Mail : robbat2(a)orbis-terrarum.net
>Home Page : http://www.orbis-terrarum.net/?l=people.robbat2
>ICQ# : 30269588 or 41961639
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: Dice - The leading online job board
>for high-tech professionals. Search and apply for tech jobs today!
>http://seeker.dice.com/seeker.epl?rel_code=31
>_______________________________________________
>Phpmyadmin-devel mailing list
>Phpmyadmin-devel(a)lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
Hi list,
I've just read the release notes on phpmyadmin.net:
"new languages: slovenian, afrikaans, hindi"
There's a fourth new language in 2.2.7 and 2.3.0: albanian.
Alexander
Hi Robin an the others,
>http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome+to+phpMyAdm
>in+2.3.0%22&meta=
> >
> > With using some of these URL's you can do stuff like:
> > http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
>
>I've just merged a fix against that, but it needs some testing since I do
>not have a machine here which is affected by this securety hole.
>*G* that has been a very stupid function in the first case .. one should
always watch security than coding such stuff
>I did not check how you fixed that but I guess the easiest way whould be
to add $cfg[PmaAsoluteUri] to the $is_gotofile var
>so the above would result in
"http://www1.tsimtung.com/phpMyAdmin/etc/passwd" an therefor fail ;-)
Upps sorry wrong var *G* it should be the filesystem path to PMA and not
the URL path to PMA ;-))))
Thomas
> Could we detect a .htaccess protection?
> If so, let's display a big red warning if someone uses the
> config auth mode
> without a .htaccess protection...
>
> Alexander
>
we could detect if HTTP_AUTH_USER is set
also: is a robots.txt file only searched for in the main
directory of a domain or can it also be in subdirectories? if
it can be then we could also put a robots.txt file in the
dist that disallows robots to go there.
--
Mike Beck
mike.beck(a)users.sourceforge.net