[Phpmyadmin-devel] Security issues

Garvin Hicking phpmyadmin at supergarv.de
Thu Oct 14 07:03:52 CEST 2004

Hi All!

>>> Summary:
>>> When specifying specially formatted options to external MIME
>>> transformation, an attacker can execute any shell command restricted by
>>> privileges of httpd user.

But it's not that "any shell command" can be executed? I thought that only
output from the allowed programms can be redirected; thus you can actually only
overwrite files with privileges of httpd user, right? I thought "|" and ";" are
escaped by the shellarg-command, so that no other program could be spawned...?

(Sorry, haven't had the time to investigate your fix)


Garvin Hicking   | Web-Entwickler | Make me happy:
www.supergarv.de | #ICQ 21392242  | http://wishes.garv.info/

More information about the Developers mailing list