[Phpmyadmin-devel] file_echo.php

Michal Čihař michal at cihar.com
Fri Aug 5 09:45:10 CEST 2011


Hi

...resending to the list...

Dne Thu, 4 Aug 2011 21:13:16 +0300
Tyron Madlener <tyronx at gmail.com> napsal(a):

> On Thu, Aug 4, 2011 at 8:51 PM, Michal Čihař <michal at cihar.com> wrote:
> > This is just limiting access to file_echo.php to users who are allowed
> > to use phpMyAdmin (and thus have login to MySQL). I see no reason
> > having publicly available echo service in phpMyAdmin.
> 
> But don't you need valid mysql credentials to get a session (and token) anyway?

Yes, though the token might be valid longer than MySQL credentials, so
it's better to check both.

> Since the file uploading is handled by the browser, I cannot think of
> a case where you can upload a file unintentionally, or in any way get
> it uploaded through other means than manually uploading it yourself.
> I'd be really curious to know how a hacker can do anything malicious
> in this direction.

You can easily place form on other page and redirect it to this file.
This is data you receive from outside, you should never trust it.

> > If you don't need any HTML code inside, htmlspecialchars will help
> > here. Also if you set content type to JSON, browser will not process it
> > as HTML.
> 
> Ah yes, great solution :)
> It just didn't into my mind to actually change the http header, even
> though its so obvious.
> I'll change that today.

Okay, please base changes on current master, I've made numerous changes
to that file.

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110805/045cd3ad/attachment.sig>


More information about the Developers mailing list