Hi Michal!
I can still browse in phpMyAdmin directory - this should be fixed.
Yes, the default docpath should point to the docSQL directory. But only because the base directory for DocSQL uploads has no own subdirectory and thereby starts in the phpMyAdmin root. We should thereby change the main docpath from this:
$docpath = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . eregi_replace('..*', '.', $docpath);
into this:
$docpath = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/docSQL/' . eregi_replace('..*', '.', $docpath);
But this has some follow-up issues and needs some looking-into. I'm too tired to do this today, so next time :)
Most actions need a valid 'session' to execute cross-site scripting, which is not *that* serious.
Maybe even worse, you can include javascript that will read cookies with login and password...
I don't know if I understand that correctly: You can only read your own cookies with JavaScript, and you know that password already. Because when others open a PMA page without a login, they only access their empty cookie, right?
What I don't understand why didn't first contact developpers as is usual in security problems...
I generally dislike the style of the author's 'report'. :)
btw: I just looked for something on the net (only .cz, searched by jyxo.cz) and I found several publicly accessible installations with config stored passwords :-))
Yes, funny thing to do *g*
Regards, Garvin.