michal at cihar.com
Thu Aug 4 15:17:42 CEST 2011
Dne Thu, 4 Aug 2011 15:47:59 +0300
Tyron Madlener <tyronx at gmail.com> napsal(a):
> From what I can see, the token is being checked independent of what
> value PMA_MINUMUM_COMMON is set to. Looking at the other parts of
> common.inc.php I also cannot see any security related functions not
> being executed if PMA_MINUMUM_COMMON is set. Also defining
> PMA_MINUMUM_COMMON I had added in the very first version of the file
> (when it was named chart_export.php), and from what I remember you
> overlooked that file there too.
> And I just tested that on the gsoc-tyron demo. It returns 'Invalid
> request' if no valid token is set.
> Apart from that, please elaborate, how can an attacker do harm to a
> user with my changes? And how is the user protected with
> PMA_MINUMUM_COMMON removed? Looking at common.inc.php, I fail to find
> any possible attack vector.
Defining PMA_MINUMUM_COMMON skips MySQL authentication, so it might be
easier to exploit any possible issue, but you seem to be right that
token is checked.
> My added file echo for the monitor config forces the file name
> 'monitor.cfg', so even if the token is not checked, and an attacker is
> be able to trick a user to download a file no harm can be made, since
> .cfg Files are not executable or viewable by standard programs.
This one looks pretty safe.
> And the import-echo I added uses $_FILES which can only be set with an
> actual file upload. I wouldn't know how that could be exploited by an
This one definitely allows XSS (though still protected by token, so
pretty harmless unless there is some other issue). Is the echo service
for HTML really needed?
Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: not available
More information about the Developers