[Phpmyadmin-devel] sessions/cookies vs. javascript

Sebastian Mendel lists at sebastianmendel.de
Tue Sep 27 05:50:07 CEST 2005


Garvin Hicking wrote:
> Hi!
> 
>> securing session data/handling is part of the system not of the application
>> (like some days ago someone said window hijacking is part of
>> the browser not the app)
> 
> We would make it too easy for us to say so, especially if we are able to bypass
> this. If we really just use PHP sessions and pay no attention to their security,
> we need to make phpMyAdmin still work without sessions. Most of the shared
> hosting providers to not ensure different session.save_path settings...

ok, so lets just start with insensitive data, like charset/lang, 
selected server/db/table, configuration, windownames aso, query history, 
aso.


>> even with open_basedir disabled, to open a file from the tmp dir you need the
>> exact name, as normaly listing dir contents is not allowed
> 
> Why do you think that? I can open and list my /tmp directory on all 3 hosts I
> just checked:
> 
> <?php
> $d = opendir('/tmp');
> while (($file = readdir($d)) !== false) {
> echo $file . "\n";
> }

uuh, bad, this is really a misconfiguration!
the web (apache and/or php) user should not have read access an this 
directory! only on the files created by themselves in there!


-- 
Sebastian Mendel

www.sebastianmendel.de
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet




More information about the Developers mailing list