Hi Robin!
This is where a malicous input can be made, and
it's not as difficult as
a custom POST/GET even, just copying the HTML page, and changing a few
URLS.
But this is certainly not standard workflow, you have to put your hands on an editor.
In this case, evil user is a malicuos user that has
access to a database
or table already, and wants to root the system.
evil user adds a tranform that reads a piece of data from the server as
a root user, somewhere else on the file system, say /tmp (using the
docSQL bug). the fix can conform to your naming requirements or not.
Now evil user makes his own table, and puts in a value of '/etc/shadow'
or any file he wants. he then gets the exact transform he wants to run
on the '/etc/shadow' string. He's now got your entire /etc/shadow file,
with your passwords or worse.
No. Evil user only transmits the filename he wants to have. This is now inserted
into the database. Now, nothing else happens, he has to browse through a table.
There, PMA reads what transformation should be applied. Because his new entry is not
inside PMA/libraries/transformations (checked via RegEx), the function inside this
file is not executed.
Remember, no files are uploaded inside the directory. Only if the user can put his
new file into the libraries/transformation directory, he can gain access to file
functions. But then, he could just delete all files because he already has access.
:)
Here is an idea for the quickbox, give it three
mini-tabs:
Maybe it is a bit complicated to make a three-part query window, so
I'll see what
can be done there. Worst thing would be to have input-buttons as TAB-icons instead
of text links, or to rely on javascript for that, again.
Just seperate the code
for the different parts of the tab window into
different files maybe? or is the bug JS related?
It is JS related, because currently all history-actions are put into a single form
and transmitted from there to itself over and over again.
logout - the logout link in the left frame
login - on load of the frameset
Alright. Stupid me. :-)
--
Bye,
Garvin.