[Phpmyadmin-devel] disabled functions for security

We got a report from a user, his ISP has disabled ini_get() and mysql_list_dbs() for security reasons. Problem is, in this case, function_exists('ini_get') is true even if ini_get() is disabled. Comments? Marc

-----Original Message----- From: Marc Delisle
We got a report from a user, his ISP has disabled ini_get() and mysql_list_dbs() for security reasons.
Disabling ini_get() is OK, but who the f*** disables mysql_list_dbs() ??? I wonder if we shouldn't bypass mysql_list_dbs() by mysql_query('SHOW DATABASES;') since this should bring the same result.
Problem is, in this case, function_exists('ini_get') is true even if ini_get() is disabled.
This is a problem, indeed. As far as I can say, we can only work around this by adding a new directive to the config file, e.g. $cfg['IniGetDisabled'] with default value FALSE. In this case we simply replace ... function_exists('ini_get') ... by ... (!$cfg['IniGetDisabled'] && function_exists('ini_get')) Alexander M. Turek <alex@bugfixes.info> +-----------------------------+ | The phpMyAdmin Project | | http://www.phpmyadmin.net | | rabus@users.sourceforge.net | +-----------------------------+ | [bugfixes.info] | | http://www.bugfixes.info | | rabus@bugfixes.info | +-----------------------------+

Rabus wrote:
-----Original Message----- From: Marc Delisle
We got a report from a user, his ISP has disabled ini_get() and mysql_list_dbs() for security reasons.
Disabling ini_get() is OK, but who the f*** disables mysql_list_dbs() ???
Fine admins at members.lycos.co.uk. Talk to them, you are in Europe :)
I wonder if we shouldn't bypass mysql_list_dbs() by mysql_query('SHOW DATABASES;') since this should bring the same result.
Let's look at this after 2.4.0, I think it's late in the cycle to introduce this.
Problem is, in this case, function_exists('ini_get') is true even if ini_get() is disabled.
This is a problem, indeed. As far as I can say, we can only work around this by adding a new directive to the config file, e.g. $cfg['IniGetDisabled'] with default value FALSE. In this case we simply replace ...
function_exists('ini_get')
... by ...
(!$cfg['IniGetDisabled'] && function_exists('ini_get'))
Good idea, but if IniGetDisabled, we cannot detect if uploads are enabled, so we should set $is_upload to TRUE. The worst that can happen is that they get an error trying to upload. Marc

On Sun, Feb 23, 2003 at 06:58:11AM -0500, Marc Delisle wrote:
Disabling ini_get() is OK, but who the f*** disables mysql_list_dbs() ??? Fine admins at members.lycos.co.uk. Talk to them, you are in Europe :) I agree there may be places to disable that function, and their setup may be one of them. There was a PHP script going around a few months ago that set out to hack MySQL databases by getting upload to a site and run. It used the mysql_list_dbs() to get a list of targets for you to choose from.
I wonder if we shouldn't bypass mysql_list_dbs() by mysql_query('SHOW DATABASES;') since this should bring the same result. Let's look at this after 2.4.0, I think it's late in the cycle to introduce this. I agree with this. It is too late for it now. I was going to do some work on the database listing stuff for 2.4.1 anyway, so I'll write up our PMA_list_dbs() for then.
Problem is, in this case, function_exists('ini_get') is true even if ini_get() is disabled. This is a problem, indeed. As far as I can say, we can only work around this by adding a new directive to the config file, e.g. $cfg['IniGetDisabled'] with default value FALSE. In this case we simply replace ...
function_exists('ini_get')
... by ...
(!$cfg['IniGetDisabled'] && function_exists('ini_get')) Just taking this generic for a sec, does somebody want to throw together PMA_function_exists() that does the function_exists check + check if it's disabled for a better result?
-- Robin Hugh Johnson E-Mail : robbat2@orbis-terrarum.net Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

robbat2@orbis-terrarum.net wrote:
On Sun, Feb 23, 2003 at 06:58:11AM -0500, Marc Delisle wrote:
Disabling ini_get() is OK, but who the f*** disables mysql_list_dbs() ???
Fine admins at members.lycos.co.uk. Talk to them, you are in Europe :)
I agree there may be places to disable that function, and their setup may be one of them. There was a PHP script going around a few months ago that set out to hack MySQL databases by getting upload to a site and run. It used the mysql_list_dbs() to get a list of targets for you to choose from.
I wonder if we shouldn't bypass mysql_list_dbs() by mysql_query('SHOW DATABASES;') since this should bring the same result.
Let's look at this after 2.4.0, I think it's late in the cycle to introduce this.
I agree with this. It is too late for it now. I was going to do some work on the database listing stuff for 2.4.1 anyway, so I'll write up our PMA_list_dbs() for then.
Problem is, in this case, function_exists('ini_get') is true even if ini_get() is disabled.
This is a problem, indeed. As far as I can say, we can only work around this by adding a new directive to the config file, e.g. $cfg['IniGetDisabled'] with default value FALSE. In this case we simply replace ...
function_exists('ini_get')
... by ...
(!$cfg['IniGetDisabled'] && function_exists('ini_get'))
Just taking this generic for a sec, does somebody want to throw together PMA_function_exists() that does the function_exists check + check if it's disabled for a better result?
Robin, I agree to take this generic, but just *how* can we check if it's disabled? Try it and look for an error? Marc

On Mon, Mar 03, 2003 at 10:03:08AM -0500, Marc Delisle wrote:
Problem is, in this case, function_exists('ini_get') is true even if ini_get() is disabled.
This is a problem, indeed. As far as I can say, we can only work around this by adding a new directive to the config file, e.g. $cfg['IniGetDisabled'] with default value FALSE. In this case we simply replace ...
function_exists('ini_get')
... by ...
(!$cfg['IniGetDisabled'] && function_exists('ini_get'))
Just taking this generic for a sec, does somebody want to throw together PMA_function_exists() that does the function_exists check + check if it's disabled for a better result? I agree to take this generic, but just *how* can we check if it's disabled? Try it and look for an error? Sounds like a good route to me.
I'm trying to hack together a testcase quickly. -- Robin Hugh Johnson E-Mail : robbat2@orbis-terrarum.net Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85

On Mon, Mar 03, 2003 at 08:05:48AM -0800, robbat2@orbis-terrarum.net wrote:
On Mon, Mar 03, 2003 at 10:03:08AM -0500, Marc Delisle wrote:
Problem is, in this case, function_exists('ini_get') is true even if ini_get() is disabled.
This is a problem, indeed. As far as I can say, we can only work around this by adding a new directive to the config file, e.g. $cfg['IniGetDisabled'] with default value FALSE. In this case we simply replace ...
function_exists('ini_get')
... by ...
(!$cfg['IniGetDisabled'] && function_exists('ini_get'))
Just taking this generic for a sec, does somebody want to throw together PMA_function_exists() that does the function_exists check + check if it's disabled for a better result? I agree to take this generic, but just *how* can we check if it's disabled? Try it and look for an error? Sounds like a good route to me.
I'm trying to hack together a testcase quickly.
Umm, on PHP 4.3.0 I get results that like the following: (with ini_get disabled): function_exists('ini_get') returns FALSE which is not what was mentioned before! I can't quite get code to behave right anyway but everybody can take a look at it in the meantime: http://www.orbis-terrarum.net/~robbat2/phptest/ -- Robin Hugh Johnson E-Mail : robbat2@orbis-terrarum.net Home Page : http://www.orbis-terrarum.net/?l=people.robbat2 ICQ# : 30269588 or 41961639 GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
participants (4)
-
Marc Delisle
-
Marc Delisle
-
Rabus
-
robbat2@orbis-terrarum.net