[Phpmyadmin-devel] file_echo.php

[Michal Čihař]

Hi

Dne Thu, 4 Aug 2011 15:47:59 +0300
Tyron Madlener <tyronx at gmail.com> napsal(a):

> From what I can see, the token is being checked independent of what
> value PMA_MINUMUM_COMMON  is set to. Looking at the other parts of
> common.inc.php I also cannot see any security related functions not
> being executed if PMA_MINUMUM_COMMON is set. Also defining
> PMA_MINUMUM_COMMON I had added in the very first version of the file
> (when it was named chart_export.php), and from what I remember you
> overlooked that file there too.
>
> And I just tested that on the gsoc-tyron demo. It returns 'Invalid
> request' if no valid token is set.
>
> Apart from that, please elaborate, how can an attacker do harm to a
> user with my changes? And how is the user protected with
> PMA_MINUMUM_COMMON removed? Looking at common.inc.php, I fail to find
> any possible attack vector.

Defining PMA_MINUMUM_COMMON skips MySQL authentication, so it might be
easier to exploit any possible issue, but you seem to be right that
token is checked.

> My added file echo for the monitor config forces the file name
> 'monitor.cfg', so even if the token is not checked, and an attacker is
> be able to trick a user to download a file no harm can be made, since
> .cfg Files are not executable or viewable by standard programs.

This one looks pretty safe.

> And the import-echo I added uses $_FILES which can only be set with an
> actual file upload. I wouldn't know how that could be exploited by an
> attacker.

This one definitely allows XSS (though still protected by token, so
pretty harmless unless there is some other issue). Is the echo service
for HTML really needed?

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110804/57ede403/attachment.sig>