22 Nov
2005
22 Nov
'05
7:33 a.m.
Hi Sebastian!
I'm sorry then, I didn't get the joke. :)
I would like to get feedback of Marc or Michal, how do you feel about that?
I haven't seen the new code yet, but if you say we have a working code that
makes injecting global variables IMPOSSIBLE, then please disregard my concern.
I've never
seen a server where .sh scripts can be executed with a usual
webapplication folder. If bash files are executed, they usually have to live
within a cgi-bin folder, and even then, .sh is seldom included in the
CGI-folder. Plus, such a file would have the "execute" flag set, which PHP
scripts don't require.
hey, this was a joke and never seen means not never happens! We should
prevent accessing PHP scripts that are not required for phpMyAdmin
operation, to not create a attack/intrusion vector for possible hackers. If
that file is only required for developers, only make it available for
developers, or make developers to change the filename to be able to execute
it. Don't bother the usual user with such a file, for whom such a file can
only do evil and nothing good.
change it ... if you like ... i dont see it like you do ... That's
what the last couple of security bugfixes were about. Until the code
has ben FULLY reworked, we cannot guarantee there are still register_global
issues left. :-)
this security fixes were BEFORE PMA always reverts register_globals so its not more a 'register globals' problem
than 'what does PMA automatically
import' problem.
Well, to me both questions lead to the same security issue about injecting
variables that PMA did not want.
Best regards,
Garvin
--
++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242
++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in