[Phpmyadmin-devel] MAJOR security hole

Marc Delisle Delislma at CollegeSherbrooke.qc.ca
Mon Aug 12 05:13:03 CEST 2002


Robin Johnson wrote:

> Hi Guys,
> 
> I've just had a major security hole reported to me by
> Colin Keigher (AnimeFreak) <animefreak at users.sourceforge.net>
> It relates to how some sites have PMA set up (they have username
> and password hardcoded, without any .htaccess protection).
> 
> Basically, by searching on Google for "Welcome to phpMyAdmin" or it's
> translated equivilents, you can find a lot of PMA installations. You can
> put the version number in there as well, like "Welcome to phpMyAdmin
> 2.3.0-rc1"
> Here is a sample URL to search:
> http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome+to+phpMyAdmin+2.3.0%22&meta=
> 
> With using some of these URL's you can do stuff like:
> http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
> 
> 



Can a developer reproduce this problem? I tried and could not.
I even put my PHP in non-safe mode.



-- 
Marc Delisle






More information about the Developers mailing list