[Phpmyadmin-devel] MAJOR security hole

Robin Johnson robbat2 at fermi.orbis-terrarum.net
Sun Aug 11 23:34:01 CEST 2002


Hi Guys,

I've just had a major security hole reported to me by
Colin Keigher (AnimeFreak) <animefreak at users.sourceforge.net>
It relates to how some sites have PMA set up (they have username
and password hardcoded, without any .htaccess protection).

Basically, by searching on Google for "Welcome to phpMyAdmin" or it's
translated equivilents, you can find a lot of PMA installations. You can
put the version number in there as well, like "Welcome to phpMyAdmin
2.3.0-rc1"
Here is a sample URL to search:
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome+to+phpMyAdmin+2.3.0%22&meta=

With using some of these URL's you can do stuff like:
http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No

Here is a front page:
http://garfield.vet.fnt.hvu.nl/counter/myadmin/

And other nefarious things. I found a few sites where I could access their
entire database with full rights, even some where they have configured the
user to root and I could change the mysql database.

This is what we need to do to fix it:
1. All served up pages should contain directives to instruct search robots
not to index the files. This will stop so many sites being listed in the
search engines.

2. We should deprecate the user/password standard login, or add a bit of
technology to it. We should throw up a login page of our own, that should
authenticate against a user/password pair in an array inside the
configuration file. It might be possible to keep the automatic login of
user/password, but it should not be enabled by default, for security.
And the configuration option to turn that unsecure method back on should
have huge warnings around it.

-- 
Robin Hugh Johnson
E-Mail     : robbat2 at orbis-terrarum.net
Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ#       : 30269588 or 41961639





More information about the Developers mailing list