[Phpmyadmin-devel] disabled functions for security

robbat2 at orbis-terrarum.net robbat2 at orbis-terrarum.net
Sun Feb 23 04:39:06 CET 2003

On Sun, Feb 23, 2003 at 06:58:11AM -0500, Marc Delisle wrote:
> >Disabling ini_get() is OK, but who the f*** disables mysql_list_dbs()
> >???
> Fine admins at members.lycos.co.uk.  Talk to them, you are in Europe :)
I agree there may be places to disable that function, and their setup
may be one of them. There was a PHP script going around a few months ago
that set out to hack MySQL databases by getting upload to a site and
run. It used the mysql_list_dbs() to get a list of targets for you to
choose from.

> >I wonder if we shouldn't bypass mysql_list_dbs() by mysql_query('SHOW
> >DATABASES;') since this should bring the same result.
> Let's look at this after 2.4.0, I think it's late in the cycle to 
> introduce this.
I agree with this. It is too late for it now. I was going to do some
work on the database listing stuff for 2.4.1 anyway, so I'll write up
our PMA_list_dbs() for then.

> >>Problem is, in this case, function_exists('ini_get') is true
> >>even if ini_get() is disabled.
> >This is a problem, indeed. As far as I can say, we can only work around
> >this by adding a new directive to the config file, e.g.
> >$cfg['IniGetDisabled'] with default value FALSE. In this case we simply
> >replace ...
> >
> >function_exists('ini_get')
> >
> >... by ...
> >
> >(!$cfg['IniGetDisabled'] && function_exists('ini_get'))
Just taking this generic for a sec, does somebody want to throw together
PMA_function_exists() that does the function_exists check + check if
it's disabled for a better result?

Robin Hugh Johnson
E-Mail     : robbat2 at orbis-terrarum.net
Home Page  : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ#       : 30269588 or 41961639
GnuPG FP   : 11AC BA4F 4778 E3F6 E4ED  F38E B27B 944E 3488 4E85
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20030223/d13b0de0/attachment.sig>

More information about the Developers mailing list