tyronx at gmail.com
Thu Aug 4 14:47:59 CEST 2011
On Thu, Aug 4, 2011 at 3:10 PM, Michal Čihař <michal at cihar.com> wrote:
> Hi Tyron
> your changes include unprotected (does not require user being logged in
> and no token check) file file_echo.php, which allows to download
> arbitrary data. This could be easily used by attacker to pretend data
> is coming from safe location (where phpMyAdmin is running), while it
> would actually come from attacker.
> I've removed defining of PMA_MINUMUM_COMMON (which does skip all the
> checks) from this file. As you already seem to pass token with the
> request, no other change should be needed, but please take care of such
> dangerous code in future.
>From what I can see, the token is being checked independent of what
value PMA_MINUMUM_COMMON is set to. Looking at the other parts of
common.inc.php I also cannot see any security related functions not
being executed if PMA_MINUMUM_COMMON is set. Also defining
PMA_MINUMUM_COMMON I had added in the very first version of the file
(when it was named chart_export.php), and from what I remember you
overlooked that file there too.
And I just tested that on the gsoc-tyron demo. It returns 'Invalid
request' if no valid token is set.
Apart from that, please elaborate, how can an attacker do harm to a
user with my changes? And how is the user protected with
PMA_MINUMUM_COMMON removed? Looking at common.inc.php, I fail to find
any possible attack vector.
My added file echo for the monitor config forces the file name
'monitor.cfg', so even if the token is not checked, and an attacker is
be able to trick a user to download a file no harm can be made, since
.cfg Files are not executable or viewable by standard programs.
And the import-echo I added uses $_FILES which can only be set with an
actual file upload. I wouldn't know how that could be exploited by an
> Michal Čihař | http://cihar.com | http://blog.cihar.com
> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos & much more. Register early & save!
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
More information about the Developers