[Phpmyadmin-devel] Re: [Phpmyadmin-users] bugs recently published on securityfocus are true?

Garvin Hicking squirrel at supergarv.de
Wed Jun 18 14:08:10 CEST 2003


Hi Michal!

> I can still browse in phpMyAdmin directory - this should be fixed.

Yes, the default docpath should point to the docSQL directory.
But only because the base directory for DocSQL uploads has no own subdirectory and
thereby starts in the phpMyAdmin root. We should thereby change the main docpath
from this:

 $docpath = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/' . eregi_replace('\.\.*', '.',
$docpath);

into this:

 $docpath = $DOCUMENT_ROOT . dirname($PHP_SELF) . '/docSQL/' .
eregi_replace('\.\.*', '.', $docpath);

But this has some follow-up issues and needs some looking-into. I'm too tired to do
this today, so next time :)

>> Most actions need a valid 'session' to
>> execute cross-site scripting, which is not *that* serious.
>
> Maybe even worse, you can include javascript that will read cookies with login
> and password...

I don't know if I understand that correctly: You can only read your own cookies with
JavaScript, and you know that password already. Because when others open a PMA page
without a login, they only access their empty cookie, right?

> What I don't understand why didn't first contact developpers as is usual in
> security problems...

I generally dislike the style of the author's 'report'. :)

> btw: I just looked for something on the net (only .cz, searched by jyxo.cz)
> and I found several publicly accessible installations with config stored
> passwords :-))

Yes, funny thing to do *g*

Regards,
Garvin.




More information about the Developers mailing list