[Phpmyadmin-devel] MAJOR security hole
Marc Delisle
Delislma at CollegeSherbrooke.qc.ca
Mon Aug 12 05:13:03 CEST 2002
Robin Johnson wrote:
> Hi Guys,
>
> I've just had a major security hole reported to me by
> Colin Keigher (AnimeFreak) <animefreak at users.sourceforge.net>
> It relates to how some sites have PMA set up (they have username
> and password hardcoded, without any .htaccess protection).
>
> Basically, by searching on Google for "Welcome to phpMyAdmin" or it's
> translated equivilents, you can find a lot of PMA installations. You can
> put the version number in there as well, like "Welcome to phpMyAdmin
> 2.3.0-rc1"
> Here is a sample URL to search:
> http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome+to+phpMyAdmin+2.3.0%22&meta=
>
> With using some of these URL's you can do stuff like:
> http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
>
>
Can a developer reproduce this problem? I tried and could not.
I even put my PHP in non-safe mode.
--
Marc Delisle
More information about the Developers
mailing list