[Phpmyadmin-devel] Security issues
Geert Lund - SilverSoft Productions
glund at silversoft.dk
Tue Sep 25 14:43:08 CEST 2001
I have a nice little one (that's not a security risk - but it still
shoulden't be allowed):
http://some.server.running.phpmyadmin/phpmyadmin/main.php3?lang=nl
That would actually set the language selection cookie in the browser - (and
changing the langauge used later) - even though one diden't pass the adv.
auth. request - then the errormessage will be shown in the language of your
choise... This would in this case not be a problem - but if something like
that happens other places in the code... that might end up be a problem...
;o)))
In other words - my opinion is never to trust any variable supplied on the
GET (or a POST) request until at least the user is verified as a user with
access rights... That would eliminate some future problems - but defenitly
not all...
--
Kind regards
Geert Lund
----- Original Message -----
From: "Loïc" <loic-div at ifrance.com>
To: "phpMyAdmin" <phpmyadmin-devel at lists.sourceforge.net>
Sent: Tuesday, September 25, 2001 11:31 PM
Subject: [Phpmyadmin-devel] Security issues
> Some amazing things (you'll love them, Geert ;))
>
> 1) Let's say:
> - you have three db (mysql of course, db1, db2) with an empty
> mysql.db table (no one should be the case but...)
> - you use the advanced athentication mode,
> - you log in as an user with $cfgServers[n]['only_db'] = 'db1' and
> $cfgAllowUserDropDatabase = TRUE
>
> Then display database details, move to the end of the page,
> copy the url of the "delete db" link, paste it in your adress bar,
> replace db1 by db2 at this location and run the url... No problem
> to delete a db that is not your one :(
>
> 2) This kind of problem may be reproduced with nearly all actions
> since the script never checks whether the db to work on is in the
> list of allowed db or not :((
>
> 3) In advanced authentication mode, the script checks for allowed
> databases in $cfgServers[n]['only_db'] AND mysql.db, mysql.table.
> What to do if theses two sources are different?
>
> 4) Why does the script checks for allowed databases in mysql.db and
> mysql.table only in advanced authentication case.
>
> To be continued....
>
> Loïc
>
>
>
____________________________________________________________________________
__
> ifrance.com, l'email gratuit le plus complet de l'Internet !
> vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> http://www.ifrance.com/_reloc/email.emailif
>
>
>
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>
More information about the Developers
mailing list