[Phpmyadmin-devel] Re: MAJOR security hole
Marc Delisle
Delislma at CollegeSherbrooke.qc.ca
Mon Aug 12 07:23:02 CEST 2002
Rabus wrote:
> ----- Original Message -----
> From: "Robin Johnson" <robbat2 at fermi.orbis-terrarum.net>
>
>>I've just had a major security hole reported to me by
>>Colin Keigher (AnimeFreak) <animefreak at users.sourceforge.net>
>>It relates to how some sites have PMA set up (they have username
>>and password hardcoded, without any .htaccess protection).
>>
>
> Arg...! No comment :o)
>
>
>>Basically, by searching on Google for "Welcome to phpMyAdmin" or it's
>>translated equivilents, you can find a lot of PMA installations. You can
>>put the version number in there as well, like "Welcome to phpMyAdmin
>>2.3.0-rc1"
>>Here is a sample URL to search:
>>
>>
> http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome+to+phpMyAdm
> in+2.3.0%22&meta=
>
>>With using some of these URL's you can do stuff like:
>>http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
>>
>
> I've just merged a fix against that, but it needs some testing since I do
> not have a machine here which is affected by this securety hole.
>
>
Alexander,
you won't like me, but I think we should wait to include a fix for a
"hole" until a developer can reproduce it.
Marc
More information about the Developers
mailing list