[Phpmyadmin-devel] Including admin scripts for end-users

Garvin Hicking phpmyadmin at supergarv.de
Tue Nov 22 04:33:02 CET 2005

Hi Sebastian!

>> I've never seen a server where .sh scripts can be executed with a usual
>> webapplication folder. If bash files are executed, they usually have to live
>> within a cgi-bin folder, and even then, .sh is seldom included in the
>> CGI-folder. Plus, such a file would have the "execute" flag set, which PHP
>> scripts don't require.
> hey, this was a joke and never seen means not never happens!

I'm sorry then, I didn't get the joke. :)

>> We should prevent accessing PHP scripts that are not required for phpMyAdmin
>> operation, to not create a attack/intrusion vector for possible hackers. If
>> that file is only required for developers, only make it available for
>> developers, or make developers to change the filename to be able to execute
>> it. Don't bother the usual user with such a file, for whom such a file can
>> only do evil and nothing good.
> change it ... if you like ... i dont see it like you do ...

I would like to get feedback of Marc or Michal, how do you feel about that?

>> That's what the last couple of security bugfixes were about. Until the code
>> has ben FULLY reworked, we cannot guarantee there are still register_global
>> issues left. :-)
> this security fixes were BEFORE PMA always reverts register_globals

I haven't seen the new code yet, but if you say we have a working code that
makes injecting global variables IMPOSSIBLE, then please disregard my concern.

> so its not more a 'register globals' problem than 'what does PMA automatically
> import' problem.

Well, to me both questions lead to the same security issue about injecting
variables that PMA did not want.

Best regards,

++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in

More information about the Developers mailing list