Hi
On Wednesday 18 of June 2003 21:37, Garvin Hicking wrote:
Hi:I just want to now..if the recently published bugs at securityfocus are true..sometimes te people lie on this list...thats my question...--Visita
You seem to mean http://www.securityfocus.com/archive/1/325641 ? I just found that by searching the site. Sadly though, that person has never contacted the team about that issue.
As far as I can tell, that ImportDocSQL security issue was fixed since
I can still browse in phpMyAdmin directory - this should be fixed.
2.5.0 - I haven't looked into the other XSS issues, as the original poster doesn't exactly specify them.
There are some examples, you can try:
http://sql/read_dump.php3?db=nonexistent&sql_query=%3Cscript%3Ewindow.al...
Most actions need a valid 'session' to execute cross-site scripting, which is not *that* serious.
Maybe even worse, you can include javascript that will read cookies with login and password...
Storing cookies unencrypted is documented in some of our RFE trackers, why we don't encrypt the data currently.
The proposed solution for this seems like a joke :-)
- Second: Use a partial / secure encoding for athentication tokens like RadiX64 ( not very secure but an attacker can think that is a more secure algorithm , obscurity ;-D ) .
But our team should definitely take some time to write a follow-up/response to that item...
If noobody else will take this, I will look at some problems tommorow.
What I don't understand why didn't first contact developpers as is usual in security problems...
btw: I just looked for something on the net (only .cz, searched by jyxo.cz) and I found several publicly accessible installations with config stored passwords :-))