[Phpmyadmin-devel] Security issues

Loïc loic-div at ifrance.com
Tue Sep 25 14:32:03 CEST 2001

Some amazing things (you'll love them, Geert ;))

1) Let's say:
    -  you have three db (mysql of course, db1, db2) with an empty
       mysql.db table (no one should be the case but...)
    - you use the advanced athentication mode,
    - you log in as an user with $cfgServers[n]['only_db'] = 'db1' and
      $cfgAllowUserDropDatabase = TRUE

   Then display database details, move to the end of the page,
   copy the url of the "delete db" link, paste it in your adress bar,
   replace db1 by db2 at this location and run the url... No problem
   to delete a db that is not your one :(

2) This kind of problem may be reproduced with nearly all actions
    since the script never checks whether the db to work on is in the
    list of allowed db or not :((

3) In advanced authentication mode, the script checks for allowed
    databases in $cfgServers[n]['only_db'] AND mysql.db, mysql.table.
    What to do if theses two sources are different?

4) Why does the script checks for allowed databases in mysql.db and
    mysql.table only in advanced authentication case.

To be continued....


ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...

More information about the Developers mailing list