[Phpmyadmin-devel] Re: MAJOR security hole
Rabus
rabus at bugfixes.info
Mon Aug 12 01:59:02 CEST 2002
----- Original Message -----
From: "Robin Johnson" <robbat2 at fermi.orbis-terrarum.net>
> I've just had a major security hole reported to me by
> Colin Keigher (AnimeFreak) <animefreak at users.sourceforge.net>
> It relates to how some sites have PMA set up (they have username
> and password hardcoded, without any .htaccess protection).
Arg...! No comment :o)
> Basically, by searching on Google for "Welcome to phpMyAdmin" or it's
> translated equivilents, you can find a lot of PMA installations. You can
> put the version number in there as well, like "Welcome to phpMyAdmin
> 2.3.0-rc1"
> Here is a sample URL to search:
>
http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome+to+phpMyAdm
in+2.3.0%22&meta=
>
> With using some of these URL's you can do stuff like:
> http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
I've just merged a fix against that, but it needs some testing since I do
not have a machine here which is affected by this securety hole.
> And other nefarious things. I found a few sites where I could access their
> entire database with full rights, even some where they have configured the
> user to root and I could change the mysql database.
Cool! We've built a hacking tool!
> This is what we need to do to fix it:
> 1. All served up pages should contain directives to instruct search robots
> not to index the files. This will stop so many sites being listed in the
> search engines.
I agree, but we cannot trust in these directives, imho.
> 2. We should deprecate the user/password standard login, or add a bit of
> technology to it. We should throw up a login page of our own, that should
> authenticate against a user/password pair in an array inside the
> configuration file. It might be possible to keep the automatic login of
> user/password, but it should not be enabled by default, for security.
> And the configuration option to turn that unsecure method back on should
> have huge warnings around it.
Could we detect a .htaccess protection?
If so, let's display a big red warning if someone uses the config auth mode
without a .htaccess protection...
Alexander
More information about the Developers
mailing list