[Phpmyadmin-devel] sessions/cookies vs. javascript

Sebastian Mendel lists at sebastianmendel.de
Tue Sep 27 05:50:07 CEST 2005

Garvin Hicking wrote:
> Hi!
>> securing session data/handling is part of the system not of the application
>> (like some days ago someone said window hijacking is part of
>> the browser not the app)
> We would make it too easy for us to say so, especially if we are able to bypass
> this. If we really just use PHP sessions and pay no attention to their security,
> we need to make phpMyAdmin still work without sessions. Most of the shared
> hosting providers to not ensure different session.save_path settings...

ok, so lets just start with insensitive data, like charset/lang, 
selected server/db/table, configuration, windownames aso, query history, 

>> even with open_basedir disabled, to open a file from the tmp dir you need the
>> exact name, as normaly listing dir contents is not allowed
> Why do you think that? I can open and list my /tmp directory on all 3 hosts I
> just checked:
> <?php
> $d = opendir('/tmp');
> while (($file = readdir($d)) !== false) {
> echo $file . "\n";
> }

uuh, bad, this is really a misconfiguration!
the web (apache and/or php) user should not have read access an this 
directory! only on the files created by themselves in there!

Sebastian Mendel

www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet

More information about the Developers mailing list