[Phpmyadmin-devel] Including admin scripts for end-users

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Wed Nov 23 04:51:03 CET 2005


Garvin Hicking a écrit :
> Hi Sebastian!
> 
> 
>>>I've never seen a server where .sh scripts can be executed with a usual
>>>webapplication folder. If bash files are executed, they usually have to live
>>>within a cgi-bin folder, and even then, .sh is seldom included in the
>>>CGI-folder. Plus, such a file would have the "execute" flag set, which PHP
>>>scripts don't require.
>>
>>hey, this was a joke and never seen means not never happens!
> 
> 
> I'm sorry then, I didn't get the joke. :)
> 
> 
>>>We should prevent accessing PHP scripts that are not required for phpMyAdmin
>>>operation, to not create a attack/intrusion vector for possible hackers. If
>>>that file is only required for developers, only make it available for
>>>developers, or make developers to change the filename to be able to execute
>>>it. Don't bother the usual user with such a file, for whom such a file can
>>>only do evil and nothing good.
>>
>>change it ... if you like ... i dont see it like you do ...
> 
> 
> I would like to get feedback of Marc or Michal, how do you feel about that?

I'm sorry, has this issue been solved with yesterday's commits?

Marc
> 
> 
>>>That's what the last couple of security bugfixes were about. Until the code
>>>has ben FULLY reworked, we cannot guarantee there are still register_global
>>>issues left. :-)
>>
>>this security fixes were BEFORE PMA always reverts register_globals
> 
> 
> I haven't seen the new code yet, but if you say we have a working code that
> makes injecting global variables IMPOSSIBLE, then please disregard my concern.
> 
> 
>>so its not more a 'register globals' problem than 'what does PMA automatically
>>import' problem.
> 
> 
> Well, to me both questions lead to the same security issue about injecting
> variables that PMA did not want.
> 
> Best regards,
> Garvin
> 





More information about the Developers mailing list