[Phpmyadmin-devel] Security issues

Geert Lund - SilverSoft Productions glund at silversoft.dk
Tue Sep 25 14:43:08 CEST 2001


I have a nice little one (that's not a security risk - but it still
shoulden't be allowed):

  http://some.server.running.phpmyadmin/phpmyadmin/main.php3?lang=nl

That would actually set the language selection cookie in the browser - (and
changing the langauge used later) - even though one diden't pass the adv.
auth. request - then the errormessage will be shown in the language of your
choise... This would in this case not be a problem - but if something like
that happens other places in the code... that might end up be a problem...

;o)))

In other words - my opinion is never to trust any variable supplied on the
GET (or a POST) request until at least the user is verified as a user with
access rights... That would eliminate some future problems - but defenitly
not all...

--
Kind regards
Geert Lund

----- Original Message -----
From: "Loïc" <loic-div at ifrance.com>
To: "phpMyAdmin" <phpmyadmin-devel at lists.sourceforge.net>
Sent: Tuesday, September 25, 2001 11:31 PM
Subject: [Phpmyadmin-devel] Security issues


> Some amazing things (you'll love them, Geert ;))
>
> 1) Let's say:
>     -  you have three db (mysql of course, db1, db2) with an empty
>        mysql.db table (no one should be the case but...)
>     - you use the advanced athentication mode,
>     - you log in as an user with $cfgServers[n]['only_db'] = 'db1' and
>       $cfgAllowUserDropDatabase = TRUE
>
>    Then display database details, move to the end of the page,
>    copy the url of the "delete db" link, paste it in your adress bar,
>    replace db1 by db2 at this location and run the url... No problem
>    to delete a db that is not your one :(
>
> 2) This kind of problem may be reproduced with nearly all actions
>     since the script never checks whether the db to work on is in the
>     list of allowed db or not :((
>
> 3) In advanced authentication mode, the script checks for allowed
>     databases in $cfgServers[n]['only_db'] AND mysql.db, mysql.table.
>     What to do if theses two sources are different?
>
> 4) Why does the script checks for allowed databases in mysql.db and
>     mysql.table only in advanced authentication case.
>
> To be continued....
>
> Loïc
>
>
>
____________________________________________________________________________
__
> ifrance.com, l'email gratuit le plus complet de l'Internet !
> vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
> http://www.ifrance.com/_reloc/email.emailif
>
>
>
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>





More information about the Developers mailing list