25 Sep
2001
25 Sep
'01
5:32 p.m.
Some amazing things (you'll love them, Geert ;))
1) Let's say:
- you have three db (mysql of course, db1, db2) with an empty
mysql.db table (no one should be the case but...)
- you use the advanced athentication mode,
- you log in as an user with $cfgServers[n]['only_db'] = 'db1' and
$cfgAllowUserDropDatabase = TRUE
Then display database details, move to the end of the page,
copy the url of the "delete db" link, paste it in your adress bar,
replace db1 by db2 at this location and run the url... No problem
to delete a db that is not your one :(
2) This kind of problem may be reproduced with nearly all actions
since the script never checks whether the db to work on is in the
list of allowed db or not :((
3) In advanced authentication mode, the script checks for allowed
databases in $cfgServers[n]['only_db'] AND mysql.db, mysql.table.
What to do if theses two sources are different?
4) Why does the script checks for allowed databases in mysql.db and
mysql.table only in advanced authentication case.
To be continued....
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
25 Sep
25 Sep
5:43 p.m.
I have a nice little one (that's not a security risk - but it still
shoulden't be allowed):
http://some.server.running.phpmyadmin/phpmyadmin/main.php3?lang=nl
That would actually set the language selection cookie in the browser - (and
changing the langauge used later) - even though one diden't pass the adv.
auth. request - then the errormessage will be shown in the language of your
choise... This would in this case not be a problem - but if something like
that happens other places in the code... that might end up be a problem...
;o)))
In other words - my opinion is never to trust any variable supplied on the
GET (or a POST) request until at least the user is verified as a user with
access rights... That would eliminate some future problems - but defenitly
not all...
--
Kind regards
Geert Lund
----- Original Message -----
From: "Loïc" <loic-div(a)ifrance.com>
To: "phpMyAdmin" <phpmyadmin-devel(a)lists.sourceforge.net>
Sent: Tuesday, September 25, 2001 11:31 PM
Subject: [Phpmyadmin-devel] Security issues
Some amazing things (you'll love them, Geert ;))
1) Let's say:
- you have three db (mysql of course, db1, db2) with an empty
mysql.db table (no one should be the case but...)
- you use the advanced athentication mode,
- you log in as an user with $cfgServers[n]['only_db'] = 'db1' and
$cfgAllowUserDropDatabase = TRUE
Then display database details, move to the end of the page,
copy the url of the "delete db" link, paste it in your adress bar,
replace db1 by db2 at this location and run the url... No problem
to delete a db that is not your one :(
2) This kind of problem may be reproduced with nearly all actions
since the script never checks whether the db to work on is in the
list of allowed db or not :((
3) In advanced authentication mode, the script checks for allowed
databases in $cfgServers[n]['only_db'] AND mysql.db, mysql.table.
What to do if theses two sources are different?
4) Why does the script checks for allowed databases in mysql.db and
mysql.table only in advanced authentication case.
To be continued....
Loïc
____________________________________________________________________________
__
ifrance.com, l'email gratuit le plus complet de
l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
_______________________________________________
Phpmyadmin-devel mailing list
Phpmyadmin-devel(a)lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
8:36 p.m.
Loïc a écrit :
Some amazing things (you'll love them, Geert ;))
1) Let's say:
- you have three db (mysql of course, db1, db2) with an empty
mysql.db table (no one should be the case but...)
- you use the advanced athentication mode,
- you log in as an user with $cfgServers[n]['only_db'] = 'db1' and
$cfgAllowUserDropDatabase = TRUE
Then display database details, move to the end of the page,
copy the url of the "delete db" link, paste it in your adress bar,
replace db1 by db2 at this location and run the url... No problem
to delete a db that is not your one :(
Loïc,
what are the global privileges of your user? and of your stduser? Are you saying
that a user without global drop privs can use, via phpMyAdmin, the stduser's
global drop privs?
In my opinion, the 'only_db' should not be viewed as a protection mecanism,
because a malicious user could install its own copy of phpMyAdmin and configure it
the way he likes (but only knowing his user/password).
The true protection is in MySQL access priv. If phpMyAdmin elevates the privs of
the "logged in" user, we must correct this. If it does not elevate privs, this
is
not a phpMyAdmin security issue.
Marc
8392
days inactive
8392
days old
2 comments
3 participants
participants (3)
-
Geert Lund - SilverSoft Productions -
Loïc -
Marc Delisle