[Phpmyadmin-devel] Re: [Phpmyadmin-users] bugs recently published on securityfocusare true?

[Garvin Hicking]

Hi!

Having looked into the bug report a bit more, I noticed that my code definitely had
a bug since the 2.5.0 release. There's a line reading "if ($content != '')" which
should read "if ($content != 'none')" to effectively disable the printout of all
files in the directory.

But the basic thing the SecurityFocus report falsely states is that you can print
out any directory structure. But since 2.5.0 you cannot escape out of the base
phpMyAdmin installation, so this is not true. I wonder whether we have to disable
the output of files in the phpMyAdmin directory. Because when a user can access the
db_details_importsql.php file, he has to have a valid user account and thereby
should have FTP access anyways and can see all of the files. The files stored in the
SQL file upload area are accessibly from the SQL query box, so no secret in that
area as well. That's why I haven't committed the above mentioned replacement of the
line. Do we want to hide any file the importer is ignoring?

Regarding the directory disclore issue: The author means that PHP will print out the
'missing variable in file /ddd/xxx/eee/bla.php' and thereby showing the path. I
guess we can only hide that part by pointing out to not letting PHP print out errors
on a webpage in production environments. On our side, we can only reduce the PHP
error output, I guess?

Concerning the cookie storage, I'm not very experienced in this area. But patch item
http://sourceforge.net/tracker/index.php?func=detail&aid=705727&group_id=23067&atid=377410
and
http://sourceforge.net/tracker/index.php?func=detail&aid=564793&group_id=23067&atid=377411
(all covered by robbat) may give some hints on that?

For those XSS issues...well, I never got the clue out of how that can be dangerous.
Maybe someone can enlighten me on that? I guess we can escape all HTML-elements from
GET/POST variables by htmlentitieing them, don't we?

Regards,
Garvin.