[Phpmyadmin-devel] disabled functions for security

Marc Delisle delislma at CollegeSherbrooke.qc.ca
Mon Mar 3 07:10:17 CET 2003


robbat2 at orbis-terrarum.net wrote:

> On Sun, Feb 23, 2003 at 06:58:11AM -0500, Marc Delisle wrote:
> 
>>>Disabling ini_get() is OK, but who the f*** disables mysql_list_dbs()
>>>???
>>>
>>Fine admins at members.lycos.co.uk.  Talk to them, you are in Europe :)
>>
> I agree there may be places to disable that function, and their setup
> may be one of them. There was a PHP script going around a few months ago
> that set out to hack MySQL databases by getting upload to a site and
> run. It used the mysql_list_dbs() to get a list of targets for you to
> choose from.
> 
> 
>>>I wonder if we shouldn't bypass mysql_list_dbs() by mysql_query('SHOW
>>>DATABASES;') since this should bring the same result.
>>>
>>Let's look at this after 2.4.0, I think it's late in the cycle to 
>>introduce this.
>>
> I agree with this. It is too late for it now. I was going to do some
> work on the database listing stuff for 2.4.1 anyway, so I'll write up
> our PMA_list_dbs() for then.
> 
> 
>>>>Problem is, in this case, function_exists('ini_get') is true
>>>>even if ini_get() is disabled.
>>>>
>>>This is a problem, indeed. As far as I can say, we can only work around
>>>this by adding a new directive to the config file, e.g.
>>>$cfg['IniGetDisabled'] with default value FALSE. In this case we simply
>>>replace ...
>>>
>>>function_exists('ini_get')
>>>
>>>... by ...
>>>
>>>(!$cfg['IniGetDisabled'] && function_exists('ini_get'))
>>>
> Just taking this generic for a sec, does somebody want to throw together
> PMA_function_exists() that does the function_exists check + check if
> it's disabled for a better result?
> 
> 
Robin,


I agree to take this generic, but just *how* can we check if it's disabled?
Try it and look for an error?

Marc







More information about the Developers mailing list