Loïc a écrit :
Some amazing things (you'll love them, Geert ;))
Let's say:
- you have three db (mysql of course, db1, db2) with an empty mysql.db table (no one should be the case but...)
- you use the advanced athentication mode,
- you log in as an user with $cfgServers[n]['only_db'] = 'db1' and $cfgAllowUserDropDatabase = TRUE
Then display database details, move to the end of the page, copy the url of the "delete db" link, paste it in your adress bar, replace db1 by db2 at this location and run the url... No problem to delete a db that is not your one :(
Loïc,
what are the global privileges of your user? and of your stduser? Are you saying that a user without global drop privs can use, via phpMyAdmin, the stduser's global drop privs?
In my opinion, the 'only_db' should not be viewed as a protection mecanism, because a malicious user could install its own copy of phpMyAdmin and configure it the way he likes (but only knowing his user/password).
The true protection is in MySQL access priv. If phpMyAdmin elevates the privs of the "logged in" user, we must correct this. If it does not elevate privs, this is not a phpMyAdmin security issue.
Marc