Rabus wrote:
----- Original Message ----- From: "Robin Johnson" robbat2@fermi.orbis-terrarum.net
I've just had a major security hole reported to me by Colin Keigher (AnimeFreak) animefreak@users.sourceforge.net It relates to how some sites have PMA set up (they have username and password hardcoded, without any .htaccess protection).
Arg...! No comment :o)
Basically, by searching on Google for "Welcome to phpMyAdmin" or it's translated equivilents, you can find a lot of PMA installations. You can put the version number in there as well, like "Welcome to phpMyAdmin 2.3.0-rc1" Here is a sample URL to search:
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome... in+2.3.0%22&meta=
With using some of these URL's you can do stuff like: http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
I've just merged a fix against that, but it needs some testing since I do not have a machine here which is affected by this securety hole.
Alexander,
you won't like me, but I think we should wait to include a fix for a "hole" until a developer can reproduce it.
Marc