[Phpmyadmin-devel] Problems with Garvin's Patches

Garvin Hicking squirrel at supergarv.de
Tue Feb 25 06:55:10 CET 2003


Hi Robin!

> This is where a malicous input can be made, and it's not as difficult as
> a custom POST/GET even, just copying the HTML page, and changing a few
> URLS.

But this is certainly not standard workflow, you have to put your hands on an editor.

> In this case, evil user is a malicuos user that has access to a database
> or table already, and wants to root the system.
> evil user adds a tranform that reads a piece of data from the server as
> a root user, somewhere else on the file system, say /tmp (using the
> docSQL bug). the fix can conform to your naming requirements or not.
> Now evil user makes his own table, and puts in a value of '/etc/shadow'
> or any file he wants.  he then gets the exact transform he wants to run
> on the '/etc/shadow' string. He's now got your entire /etc/shadow file,
> with your passwords or worse.

No. Evil user only transmits the filename he wants to have. This is now inserted
into the database. Now, nothing else happens, he has to browse through a table.

There, PMA reads what transformation should be applied. Because his new entry is not
inside PMA/libraries/transformations (checked via RegEx), the function inside this
file is not executed.

Remember, no files are uploaded inside the directory. Only if the user can put his
new file into the libraries/transformation directory, he can gain access to file
functions. But then, he could just delete all files because he already has access.
:)

>> > Here is an idea for the quickbox, give it three mini-tabs:
>> Maybe it is a bit complicated to make a three-part query window, so I'll see what
>> can be done there. Worst thing would be to have input-buttons as TAB-icons instead
>> of text links, or to rely on javascript for that, again.
> Just seperate the code for the different parts of the tab window into
> different files maybe? or is the bug JS related?

It is JS related, because currently all history-actions are put into a single form
and transmitted from there to itself over and over again.

> logout - the logout link in the left frame
> login - on load of the frameset

Alright. Stupid me. :-)

-- 
Bye,
Garvin.






More information about the Developers mailing list