[Phpmyadmin-devel] Re: [Phpmyadmin-users] bugs recently published on securityfocus are true?

Wed Jun 18 13:13:15 CEST 2003

Hi

On Wednesday 18 of June 2003 21:37, Garvin Hicking wrote:
> > Hi:I just want to now..if the recently published bugs at securityfocus
> > are true..sometimes te people lie on this list...thats my
> > question...--Visita
>
> You seem to mean http://www.securityfocus.com/archive/1/325641 ? I just
> found that by searching the site. Sadly though, that person has never
> contacted the team about that issue.
>
> As far as I can tell, that ImportDocSQL security issue was fixed since

I can still browse in phpMyAdmin directory - this should be fixed.

> 2.5.0 - I haven't looked into the other XSS issues, as the original poster
> doesn't exactly specify them.

There are some examples, you can try:

http://sql/read_dump.php3?db=nonexistent&sql_query=%3Cscript%3Ewindow.alert(%22ha%22)%3C/script%3E

> Most actions need a valid 'session' to
> execute cross-site scripting, which is not *that* serious. 

Maybe even worse, you can include javascript that will read cookies with login 
and password...

> Storing cookies
> unencrypted is documented in some of our RFE trackers, why we don't encrypt
> the data currently.

The proposed solution for this seems like a joke :-)

- Second: Use a partial / secure encoding for athentication tokens like 
RadiX64 ( not very secure but an attacker 
can think that is a more secure algorithm , obscurity ;-D ) .

> But our team should definitely take some time to write a follow-up/response
> to that item...

If noobody else will take this, I will look at some problems tommorow.

What I don't understand why didn't first contact developpers as is usual in 
security problems...

btw: I just looked for something on the net (only .cz, searched by jyxo.cz) 
and I found several publicly accessible installations with config stored 
passwords :-))

-- 
Regards
	Michal Cihar
	nijel at users dot sourceforge dot net
	http://cihar.liten.cz