----- Original Message ----- From: "Robin Johnson" robbat2@fermi.orbis-terrarum.net
I've just had a major security hole reported to me by Colin Keigher (AnimeFreak) animefreak@users.sourceforge.net It relates to how some sites have PMA set up (they have username and password hardcoded, without any .htaccess protection).
Arg...! No comment :o)
Basically, by searching on Google for "Welcome to phpMyAdmin" or it's translated equivilents, you can find a lot of PMA installations. You can put the version number in there as well, like "Welcome to phpMyAdmin 2.3.0-rc1" Here is a sample URL to search:
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome... in+2.3.0%22&meta=
With using some of these URL's you can do stuff like: http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
I've just merged a fix against that, but it needs some testing since I do not have a machine here which is affected by this securety hole.
And other nefarious things. I found a few sites where I could access their entire database with full rights, even some where they have configured the user to root and I could change the mysql database.
Cool! We've built a hacking tool!
This is what we need to do to fix it:
- All served up pages should contain directives to instruct search robots
not to index the files. This will stop so many sites being listed in the search engines.
I agree, but we cannot trust in these directives, imho.
- We should deprecate the user/password standard login, or add a bit of
technology to it. We should throw up a login page of our own, that should authenticate against a user/password pair in an array inside the configuration file. It might be possible to keep the automatic login of user/password, but it should not be enabled by default, for security. And the configuration option to turn that unsecure method back on should have huge warnings around it.
Could we detect a .htaccess protection? If so, let's display a big red warning if someone uses the config auth mode without a .htaccess protection...
Alexander