[Phpmyadmin-devel] Re: [Phpmyadmin-cvs] CVS: phpMyAdmin/test theme.php,NONE,1.1

Garvin Hicking phpmyadmin at supergarv.de
Tue Nov 22 03:54:01 CET 2005

Hi Sebastian!

>> .sh scripts cannot be executed through HTTP. .php Scripts can.
> depends on server configuration ... ok, but why should we prevent this?

I've never seen a server where .sh scripts can be executed with a usual
webapplication folder. If bash files are executed, they usually have to live
within a cgi-bin folder, and even then, .sh is seldom included in the
CGI-folder. Plus, such a file would have the "execute" flag set, which PHP
scripts don't require.

We should prevent accessing PHP scripts that are not required for phpMyAdmin
operation, to not create a attack/intrusion vector for possible hackers. If that
file is only required for developers, only make it available for developers, or
make developers to change the filename to be able to execute it. Don't bother
the usual user with such a file, for whom such a file can only do evil and
nothing good.

>> Header with any content you like. Plus you might be able to pass $HTTP_HOST as
>> a register_global variable.
> mhm, PMA does not use register_globals and even deletes already registered
> globals

That's what the last couple of security bugfixes were about. Until the code has
ben FULLY reworked, we cannot guarantee there are still register_global issues
left. :-)

> but anyway, i will change this


Best regards,

++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in

More information about the Developers mailing list