[Phpmyadmin-devel] file_echo.php

Tyron Madlener tyronx at gmail.com
Fri Aug 5 12:34:07 CEST 2011


On Fri, Aug 5, 2011 at 10:45 AM, Michal Čihař <michal at cihar.com> wrote:
> Hi
>
> ...resending to the list...
>
> Dne Thu, 4 Aug 2011 21:13:16 +0300
> Tyron Madlener <tyronx at gmail.com> napsal(a):
>
>> On Thu, Aug 4, 2011 at 8:51 PM, Michal Čihař <michal at cihar.com> wrote:
>> > This is just limiting access to file_echo.php to users who are allowed
>> > to use phpMyAdmin (and thus have login to MySQL). I see no reason
>> > having publicly available echo service in phpMyAdmin.
>>
>> But don't you need valid mysql credentials to get a session (and token) anyway?
>
> Yes, though the token might be valid longer than MySQL credentials, so
> it's better to check both.
>
>> Since the file uploading is handled by the browser, I cannot think of
>> a case where you can upload a file unintentionally, or in any way get
>> it uploaded through other means than manually uploading it yourself.
>> I'd be really curious to know how a hacker can do anything malicious
>> in this direction.
>
> You can easily place form on other page and redirect it to this file.
> This is data you receive from outside, you should never trust it.
>
>> > If you don't need any HTML code inside, htmlspecialchars will help
>> > here. Also if you set content type to JSON, browser will not process it
>> > as HTML.
>>
>> Ah yes, great solution :)
>> It just didn't into my mind to actually change the http header, even
>> though its so obvious.
>> I'll change that today.
>
> Okay, please base changes on current master, I've made numerous changes
> to that file.

Commit d368a81ccaf2c1013bd49cbf51ec23be346aeffb and
9f425de0e727b4219e50111b25c362164d420284 does this now.

I had to use text/plain though because some browsers like FF doesn't
understand application/json (and offers the file to be downloaded).

>
> --
>        Michal Čihař | http://cihar.com | http://blog.cihar.com
>
> ------------------------------------------------------------------------------
> BlackBerry® DevCon Americas, Oct. 18-20, San Francisco, CA
> The must-attend event for mobile developers. Connect with experts.
> Get tools for creating Super Apps. See the latest technologies.
> Sessions, hands-on labs, demos & much more. Register early & save!
> http://p.sf.net/sfu/rim-blackberry-1
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>
>




More information about the Developers mailing list