[Phpmyadmin-devel] Re: MAJOR security hole

Marc Delisle Delislma at CollegeSherbrooke.qc.ca
Mon Aug 12 07:23:02 CEST 2002


Rabus wrote:

> ----- Original Message -----
> From: "Robin Johnson" <robbat2 at fermi.orbis-terrarum.net>
> 
>>I've just had a major security hole reported to me by
>>Colin Keigher (AnimeFreak) <animefreak at users.sourceforge.net>
>>It relates to how some sites have PMA set up (they have username
>>and password hardcoded, without any .htaccess protection).
>>
> 
> Arg...! No comment :o)
> 
> 
>>Basically, by searching on Google for "Welcome to phpMyAdmin" or it's
>>translated equivilents, you can find a lot of PMA installations. You can
>>put the version number in there as well, like "Welcome to phpMyAdmin
>>2.3.0-rc1"
>>Here is a sample URL to search:
>>
>>
> http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome+to+phpMyAdm
> in+2.3.0%22&meta=
> 
>>With using some of these URL's you can do stuff like:
>>http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
>>
> 
> I've just merged a fix against that, but it needs some testing since I do
> not have a machine here which is affected by this securety hole.
> 
> 

Alexander,

you won't like me, but I think we should wait to include a fix for a
"hole" until a developer can reproduce it.


Marc





More information about the Developers mailing list