12 Aug
2002
12 Aug
'02
2:34 a.m.
Hi Guys,
I've just had a major security hole reported to me by
Colin Keigher (AnimeFreak) <animefreak(a)users.sourceforge.net>
It relates to how some sites have PMA set up (they have username
and password hardcoded, without any .htaccess protection).
Basically, by searching on Google for "Welcome to phpMyAdmin" or it's
translated equivilents, you can find a lot of PMA installations. You can
put the version number in there as well, like "Welcome to phpMyAdmin
2.3.0-rc1"
Here is a sample URL to search:
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcom…
With using some of these URL's you can do stuff like:
http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
Here is a front page:
http://garfield.vet.fnt.hvu.nl/counter/myadmin/
And other nefarious things. I found a few sites where I could access their
entire database with full rights, even some where they have configured the
user to root and I could change the mysql database.
This is what we need to do to fix it:
1. All served up pages should contain directives to instruct search robots
not to index the files. This will stop so many sites being listed in the
search engines.
2. We should deprecate the user/password standard login, or add a bit of
technology to it. We should throw up a login page of our own, that should
authenticate against a user/password pair in an array inside the
configuration file. It might be possible to keep the automatic login of
user/password, but it should not be enabled by default, for security.
And the configuration option to turn that unsecure method back on should
have huge warnings around it.
--
Robin Hugh Johnson
E-Mail : robbat2(a)orbis-terrarum.net
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ# : 30269588 or 41961639
12 Aug
12 Aug
4:59 a.m.
New subject: [Phpmyadmin-devel] Re: MAJOR security hole
----- Original Message -----
From: "Robin Johnson" <robbat2(a)fermi.orbis-terrarum.net>
I've just had a major security hole reported to me
by
Colin Keigher (AnimeFreak) <animefreak(a)users.sourceforge.net>
It relates to how some sites have PMA set up (they have username
and password hardcoded, without any .htaccess protection).
Arg...! No comment :o)
Basically, by searching on Google for "Welcome to
phpMyAdmin" or it's
translated equivilents, you can find a lot of PMA installations. You can
put the version number in there as well, like "Welcome to phpMyAdmin
2.3.0-rc1"
Here is a sample URL to search:
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcom…
in+2.3.0%22&meta=
With using some of these URL's you can do stuff like:
http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
I've just merged a fix against that, but it needs some testing since I do
not have a machine here which is affected by this securety hole.
And other nefarious things. I found a few sites where
I could access their
entire database with full rights, even some where they have configured the
user to root and I could change the mysql database.
Cool! We've built a hacking tool!
This is what we need to do to fix it:
1. All served up pages should contain directives to instruct search robots
not to index the files. This will stop so many sites being listed in the
search engines.
I agree, but we cannot trust in these directives, imho.
2. We should deprecate the user/password standard
login, or add a bit of
technology to it. We should throw up a login page of our own, that should
authenticate against a user/password pair in an array inside the
configuration file. It might be possible to keep the automatic login of
user/password, but it should not be enabled by default, for security.
And the configuration option to turn that unsecure method back on should
have huge warnings around it.
Could we detect a .htaccess protection?
If so, let's display a big red warning if someone uses the config auth mode
without a .htaccess protection...
Alexander
6:10 a.m.
New subject: [Phpmyadmin-devel] Re: MAJOR security hole
Hi Robin an the others,
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcom…
in+2.3.0%22&meta=
*G* that has been a very stupid function in the first case .. one should
always watch security than coding such stuff
I did not check how you fixed that but I guess the easiest way whould be to
add $cfg[PmaAsoluteUri] to the $is_gotofile var
so the above would result in
"http://www1.tsimtung.com/phpMyAdmin/etc/passwd" an therefor fail ;-)
Thomas
With using some of these URL's you can do stuff like:
http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
I've just merged a fix against that, but it needs some testing since I do
not have a machine here which is affected by this securety hole. 
10:23 a.m.
New subject: [Phpmyadmin-devel] Re: MAJOR security hole
Rabus wrote:
----- Original Message -----
From: "Robin Johnson" <robbat2(a)fermi.orbis-terrarum.net>
Alexander,
you won't like me, but I think we should wait to include a fix for a
"hole" until a developer can reproduce it.
Marc
I've just had a major security hole reported
to me by
Colin Keigher (AnimeFreak) <animefreak(a)users.sourceforge.net>
It relates to how some sites have PMA set up (they have username
and password hardcoded, without any .htaccess protection).
Arg...! No comment :o)
Basically, by searching on Google for
"Welcome to phpMyAdmin" or it's
translated equivilents, you can find a lot of PMA installations. You can
put the version number in there as well, like "Welcome to phpMyAdmin
2.3.0-rc1"
Here is a sample URL to search:
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcom…
in+2.3.0%22&meta=
With using some of these URL's you can do
stuff like:
http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
I've just merged a fix against that, but it needs some testing since I do
not have a machine here which is affected by this securety hole.
3:31 p.m.
New subject: [Phpmyadmin-devel] Re: MAJOR security hole
On Mon, 12 Aug 2002, Marc Delisle wrote:
I'm going to set up a copy of PMA that exhibits the security hole for us
to test out bug. Give me a day or two, as I have some more pressing work
at the moment.
--
Robin Hugh Johnson
E-Mail : robbat2(a)orbis-terrarum.net
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ# : 30269588 or 41961639
I've just
merged a fix against that, but it needs some testing since I do
not have a machine here which is affected by this securety hole.
you won't
like me, but I think we should wait to include a fix for a
"hole" until a developer can reproduce it.
3:39 p.m.
New subject: [Phpmyadmin-devel] Re: MAJOR security hole
Robin Johnson a écrit :
On Mon, 12 Aug 2002, Marc Delisle wrote:
I'm going to set up a copy of PMA that exhibits the security hole for us
to test out bug. Give me a day or two, as I have some more pressing work
at the moment.
Robin,
the "goto" problem?
Marc
I've
just merged a fix against that, but it needs some testing since I do
not have a machine here which is affected by this securety hole.
you won't
like me, but I think we should wait to include a fix for a
"hole" until a developer can reproduce it.
4:13 p.m.
New subject: [Phpmyadmin-devel] Re: MAJOR security hole
On Mon, 12 Aug 2002, Marc Delisle wrote:
I've checked out the goto problem, and you were right, it is fixed in the
recent releases. It now limits you to files only in the phpMyAdmin install
directory. Which can still be a problem in itself I think.
On checking out the other problem with systems totally open using the
config mechanism, try out this series of SQL Commands:
First time around:
CREATE TABLE testB ( t mediumtext );
LOAD DATA INFILE '/home/robbat2/public_html/PMA/config.inc.php' INTO TABLE
testB FIELDS TERMINATED BY '\n' LINES TERMINATED BY '\n';
Where you need to change the path of the file, and the 'TERMINATED BY'
parts for your own systems.
When that completes,
I ran this:
SELECT * FROM testB WHERE t like '%Server%' AND (t like '%user%' or t
like
'%password%');
To get just the PMA authentication data.
Of course, this exploit requires that the user have the FILE privilege.
This would apply to all cases where PMA has been set up with the user as
root, or anybody else with the FILE privilege.
I'm carrying on looking for more holes along these lines.
--
Robin Hugh Johnson
E-Mail : robbat2(a)orbis-terrarum.net
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ# : 30269588 or 41961639
On Mon, 12 Aug
2002, Marc Delisle wrote:
I'm going to set up a copy of PMA that exhibits the security hole for us
to test out bug. Give me a day or two, as I have some more pressing work
at the moment.
Robin,
the "goto" problem?
Marc I've
just merged a fix against that, but it needs some testing since I do
not have a machine here which is affected by this securety hole.
you won't
like me, but I think we should wait to include a fix for a
"hole" until a developer can reproduce it.
14 Aug
14 Aug
10:54 a.m.
New subject: [Phpmyadmin-devel] Re: MAJOR security hole
Robin Johnson wrote:
On checking out the other problem with systems totally open using the
config mechanism, try out this series of SQL Commands:
First time around:
CREATE TABLE testB ( t mediumtext );
LOAD DATA INFILE '/home/robbat2/public_html/PMA/config.inc.php' INTO TABLE
testB FIELDS TERMINATED BY '\n' LINES TERMINATED BY '\n';
This fails if the config file is chmod 660, as suggested by faq [4.2].
--
Marc Delisle
12 Aug
12 Aug
8:13 a.m.
Robin Johnson wrote:
Hi Guys,
I've just had a major security hole reported to me by
Colin Keigher (AnimeFreak) <animefreak(a)users.sourceforge.net>
It relates to how some sites have PMA set up (they have username
and password hardcoded, without any .htaccess protection).
Basically, by searching on Google for "Welcome to phpMyAdmin" or it's
translated equivilents, you can find a lot of PMA installations. You can
put the version number in there as well, like "Welcome to phpMyAdmin
2.3.0-rc1"
Here is a sample URL to search:
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcom…
With using some of these URL's you can do stuff like:
http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
Can a developer reproduce this problem? I tried and could not.
I even put my PHP in non-safe mode.
--
Marc Delisle
10:09 a.m.
Robin Johnson wrote:
Hi Guys,
And other nefarious things. I found a few sites where I could access their
entire database with full rights, even some where they have configured the
user to root and I could change the mysql database.
I know at least one distribution of Linux that installs MySQL with user
root and no password.
Let's add a red warning when we detect that they are using 'config' auth
mode, with a blank password, to try to educate the admin of this system.
This is what we need to do to fix it:
1. All served up pages should contain directives to instruct search robots
not to index the files. This will stop so many sites being listed in the
search engines.
2. We should deprecate the user/password standard login, or add a bit of
technology to it. We should throw up a login page of our own, that should
authenticate against a user/password pair in an array inside the
configuration file. It might be possible to keep the automatic login of
user/password, but it should not be enabled by default, for security.
And the configuration option to turn that unsecure method back on should
have huge warnings around it.
--
Marc Delisle
11:07 a.m.
New subject: [Phpmyadmin-devel] Re: MAJOR security hole
----- Original Message -----
From: "Marc Delisle" <Delislma(a)CollegeSherbrooke.qc.ca>
MySQL ships with this configuration as default to make the first access
easy. But of course this is not meant to be left like this after the server
has been configured.
Robin Johnson wrote:
> Hi Guys,
>
>
> And other nefarious things. I found a few sites where I could access
their
> entire database with full rights, even some where
they have configured
the
user to root
and I could change the mysql database.
I know at least one distribution of Linux that installs MySQL with user
root and no password. Let's add a red warning when we detect that they
are using 'config' auth
mode, with a blank password, to try to educate the admin of this system.
I agree.
Alexander
13 Aug
13 Aug
8:56 a.m.
New subject: [Phpmyadmin-devel] Re: MAJOR security hole
Rabus wrote:
----- Original Message -----
From: "Marc Delisle" <Delislma(a)CollegeSherbrooke.qc.ca>
MySQL ships with this configuration as default to make the first access
easy. But of course this is not meant to be left like this after the server
has been configured.
Done!
--
Marc Delisle
Robin Johnson wrote:
>Hi Guys,
>
>
>And other nefarious things. I found a few sites where I could access
>
their
>entire database with full rights, even some
where they have configured
>
the
user to
root and I could change the mysql database.
I know at least one distribution of Linux that installs MySQL with user
root and no password.
Let's add a red warning when we detect that
they are using 'config' auth
mode, with a blank password, to try to educate the admin of this system.
I agree.
8069
days inactive
8072
days old
11 comments
5 participants
participants (5)
-
"Thomas Bähr [Office]" -
Marc Delisle -
Marc Delisle
-
Rabus -
Robin Johnson