[Phpmyadmin-devel] sessions/cookies vs. javascript
Sebastian Mendel
lists at sebastianmendel.de
Tue Sep 27 05:50:07 CEST 2005
Garvin Hicking wrote:
> Hi!
>
>> securing session data/handling is part of the system not of the application
>> (like some days ago someone said window hijacking is part of
>> the browser not the app)
>
> We would make it too easy for us to say so, especially if we are able to bypass
> this. If we really just use PHP sessions and pay no attention to their security,
> we need to make phpMyAdmin still work without sessions. Most of the shared
> hosting providers to not ensure different session.save_path settings...
ok, so lets just start with insensitive data, like charset/lang,
selected server/db/table, configuration, windownames aso, query history,
aso.
>> even with open_basedir disabled, to open a file from the tmp dir you need the
>> exact name, as normaly listing dir contents is not allowed
>
> Why do you think that? I can open and list my /tmp directory on all 3 hosts I
> just checked:
>
> <?php
> $d = opendir('/tmp');
> while (($file = readdir($d)) !== false) {
> echo $file . "\n";
> }
uuh, bad, this is really a misconfiguration!
the web (apache and/or php) user should not have read access an this
directory! only on the files created by themselves in there!
--
Sebastian Mendel
www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
More information about the Developers
mailing list