----- Original Message -----
From: "Robin Johnson" <robbat2(a)fermi.orbis-terrarum.net>
I've just had a major security hole reported to me
by
Colin Keigher (AnimeFreak) <animefreak(a)users.sourceforge.net>
It relates to how some sites have PMA set up (they have username
and password hardcoded, without any .htaccess protection).
Arg...! No comment :o)
Basically, by searching on Google for "Welcome to
phpMyAdmin" or it's
translated equivilents, you can find a lot of PMA installations. You can
put the version number in there as well, like "Welcome to phpMyAdmin
2.3.0-rc1"
Here is a sample URL to search:
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcom…
in+2.3.0%22&meta=
I've just merged a fix against that, but it needs some testing since I do
not have a machine here which is affected by this securety hole.
And other nefarious things. I found a few sites where
I could access their
entire database with full rights, even some where they have configured the
user to root and I could change the mysql database.
Cool! We've built a hacking tool!
This is what we need to do to fix it:
1. All served up pages should contain directives to instruct search robots
not to index the files. This will stop so many sites being listed in the
search engines.
I agree, but we cannot trust in these directives, imho.
2. We should deprecate the user/password standard
login, or add a bit of
technology to it. We should throw up a login page of our own, that should
authenticate against a user/password pair in an array inside the
configuration file. It might be possible to keep the automatic login of
user/password, but it should not be enabled by default, for security.
And the configuration option to turn that unsecure method back on should
have huge warnings around it.
Could we detect a .htaccess protection?
If so, let's display a big red warning if someone uses the config auth mode
without a .htaccess protection...
Alexander