[Phpmyadmin-devel] Including admin scripts for end-users
Garvin Hicking
phpmyadmin at supergarv.de
Tue Nov 22 04:33:02 CET 2005
Hi Sebastian!
>> I've never seen a server where .sh scripts can be executed with a usual
>> webapplication folder. If bash files are executed, they usually have to live
>> within a cgi-bin folder, and even then, .sh is seldom included in the
>> CGI-folder. Plus, such a file would have the "execute" flag set, which PHP
>> scripts don't require.
>
> hey, this was a joke and never seen means not never happens!
I'm sorry then, I didn't get the joke. :)
>> We should prevent accessing PHP scripts that are not required for phpMyAdmin
>> operation, to not create a attack/intrusion vector for possible hackers. If
>> that file is only required for developers, only make it available for
>> developers, or make developers to change the filename to be able to execute
>> it. Don't bother the usual user with such a file, for whom such a file can
>> only do evil and nothing good.
>
> change it ... if you like ... i dont see it like you do ...
I would like to get feedback of Marc or Michal, how do you feel about that?
>> That's what the last couple of security bugfixes were about. Until the code
>> has ben FULLY reworked, we cannot guarantee there are still register_global
>> issues left. :-)
>
> this security fixes were BEFORE PMA always reverts register_globals
I haven't seen the new code yet, but if you say we have a working code that
makes injecting global variables IMPOSSIBLE, then please disregard my concern.
> so its not more a 'register globals' problem than 'what does PMA automatically
> import' problem.
Well, to me both questions lead to the same security issue about injecting
variables that PMA did not want.
Best regards,
Garvin
--
++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242
++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in
More information about the Developers
mailing list