[Phpmyadmin-devel] Security issues

[Marc Delisle]

Loïc a écrit :

> Some amazing things (you'll love them, Geert ;))
>
> 1) Let's say:
>     -  you have three db (mysql of course, db1, db2) with an empty
>        mysql.db table (no one should be the case but...)
>     - you use the advanced athentication mode,
>     - you log in as an user with $cfgServers[n]['only_db'] = 'db1' and
>       $cfgAllowUserDropDatabase = TRUE
>
>    Then display database details, move to the end of the page,
>    copy the url of the "delete db" link, paste it in your adress bar,
>    replace db1 by db2 at this location and run the url... No problem
>    to delete a db that is not your one :(
>

Loïc,

what are the global privileges of your user?  and of your stduser?  Are you saying
that a user without global drop privs can use, via phpMyAdmin, the stduser's
global drop privs?

In my opinion, the 'only_db' should not be viewed as a protection mecanism,
because a malicious user could install its own copy of phpMyAdmin and configure it
the way he likes (but only knowing his user/password).

 The true protection is in MySQL access priv.  If phpMyAdmin elevates the privs of
the "logged in" user, we must correct this. If it does not elevate privs, this is
not a phpMyAdmin security issue.

Marc