[Phpmyadmin-devel] Security issues

Michal Čihař michal at cihar.com
Thu Oct 14 11:29:06 CEST 2004


On Thu 14. 10. 2004 16:00, Garvin Hicking wrote:
> Hi All!
>
> >>> Summary:
> >>> When specifying specially formatted options to external MIME
> >>> transformation, an attacker can execute any shell command restricted by
> >>> privileges of httpd user.
>
> But it's not that "any shell command" can be executed? I thought that only
> output from the allowed programms can be redirected; thus you can actually
> only overwrite files with privileges of httpd user, right? I thought "|"
> and ";" are escaped by the shellarg-command, so that no other program could
> be spawned...?
>
> (Sorry, haven't had the time to investigate your fix)

As well as redirection, you can include there $(rm -rf /) or `rm -rf /` and it  
will work.

-- 
    Michal Čihař | http://cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 194 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20041014/faa235fa/attachment.sig>


More information about the Developers mailing list