[Phpmyadmin-devel] Problems with Garvin's Patches

Marc Delisle delislma at CollegeSherbrooke.qc.ca
Tue Feb 25 06:35:12 CET 2003

robbat2 at orbis-terrarum.net wrote:

> In this case, evil user is a malicuos user that has access to a database
> or table already, and wants to root the system.
> evil user adds a tranform that reads a piece of data from the server as
> a root user, somewhere else on the file system, say /tmp (using the
> docSQL bug). the fix can conform to your naming requirements or not.
> Now evil user makes his own table, and puts in a value of '/etc/shadow'
> or any file he wants.  he then gets the exact transform he wants to run
> on the '/etc/shadow' string. He's now got your entire /etc/shadow file,
> with your passwords or worse.


I don't understand your point. I think that, for this to work,
the web server would have to run under a privileged user
(a thing definitely not recommended) and/or PHP would not be
set in safe mode.  And if PHP is not in safe mode, it's a lot
easier than you describe to read in some protected files.


More information about the Developers mailing list