12 Aug
2002
12 Aug
'02
5:10 a.m.
Hi Robin an the others,
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome... in+2.3.0%22&meta=
With using some of these URL's you can do stuff like: http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
I've just merged a fix against that, but it needs some testing since I do not have a machine here which is affected by this securety hole.
*G* that has been a very stupid function in the first case .. one should always watch security than coding such stuff I did not check how you fixed that but I guess the easiest way whould be to add $cfg[PmaAsoluteUri] to the $is_gotofile var so the above would result in "http://www1.tsimtung.com/phpMyAdmin/etc/passwd" an therefor fail ;-)
Thomas