[Phpmyadmin-devel] CVS: phpMyAdmin/test/theme.php,NONE,1.1

[Sebastian Mendel]

Garvin Hicking wrote:
> Hi Sebastian!
> 
>>> .sh scripts cannot be executed through HTTP. .php Scripts can.
>> depends on server configuration ... ok, but why should we prevent this?
> 
> I've never seen a server where .sh scripts can be executed with a usual
> webapplication folder. If bash files are executed, they usually have to live
> within a cgi-bin folder, and even then, .sh is seldom included in the
> CGI-folder. Plus, such a file would have the "execute" flag set, which PHP
> scripts don't require.

hey, this was a joke and never seen means not never happens!


> We should prevent accessing PHP scripts that are not required for phpMyAdmin
> operation, to not create a attack/intrusion vector for possible hackers. If that
> file is only required for developers, only make it available for developers, or
> make developers to change the filename to be able to execute it. Don't bother
> the usual user with such a file, for whom such a file can only do evil and
> nothing good.

change it ... if you like ... i dont see it like you do ...


>>> Header with any content you like. Plus you might be able to pass $HTTP_HOST as
>>> a register_global variable.
>> mhm, PMA does not use register_globals and even deletes already registered
>> globals
> 
> That's what the last couple of security bugfixes were about. Until the code has
> ben FULLY reworked, we cannot guarantee there are still register_global issues
> left. :-)

this security fixes were BEFORE PMA always reverts register_globals

so its not more a 'register globals' problem than 'what does PMA
automatically import' problem.


-- 
Sebastian Mendel

www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet