 |
 |
 |
 |
|
|
Date: 07/03/01
- Next message: Paolo Ciraci: "Re: [PHP] #exec and php together"
- Previous message: scott [gts]: "[PHP] php serialize"
- In reply to: Chris Anderson: "Re: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
hi chris,
server is running
mysql and php are working perfekt on all the servers
the correct url is
http://www.mydomain.com/phpMyAdmin/sql.php?server=000&cfgServers[000][host]=
hello&btnDrop=No&goto=/etc/passwd
and we tried that "exploid" now on 10 different dedicated servers
all with "default" phpMyAdmin istallation [ advanced authentication ]
[ freebsd // linux ]
but all of them still ask for authentication
so we are just worried that we do something wrong
or the url specifeid is wrong
thank yuo
andreas
----- Original Message -----
From: "Chris Anderson" <chrisderson <email protected>>
To: "Paul Burney" <burney <email protected>>; "andreas ( <email protected>)"
<myviva <email protected>>
Cc: "php mailing list 2" <php-general <email protected>>
Sent: Tuesday, July 03, 2001 6:40 PM
Subject: Re: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues
btw, that error looks more like a mysql setup / runtime problem. IE..is the
server running?
----- Original Message -----
From: "Paul Burney" <burney <email protected>>
To: "andreas ( <email protected>)" <myviva <email protected>>
Cc: "php mailing list 2" <php-general <email protected>>
Sent: Tuesday, July 03, 2001 11:51 AM
Subject: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues
> on 7/3/01 5:47 AM, andreas ( <email protected>) (myviva <email protected>) wrote:
>
> > ive got 3 servers (dedicated) with mysql 3.22.32 and above and
phpMyAdmin
> > 2.1.0 but i cant reproduce the vulnerability
>
> > i use advanced uthentication
>
> >
http://ip/phpMyAdmin/sql.php?server=000cfgServers[000][host]=hello&btnDrop=N
> > o&goto=/etc/passwd
>
> If that URL is copied correctly, it might be because there's no "&"
between
> the server=000 and the cfgServers[000][host].
>
> If not, maybe your particular configuration isn't vulnerable.
>
> If you use a Apache Auth for access to the folder and normal auth in
> phpmyadmin, you are not vulnerable to outsiders but *you* can still view a
> server's sensitive files which can be really dangerous in a shared server
> environment.
>
> Sincerely,
>
> Paul Burney
>
> +-------------------------+---------------------------------+
> | Paul Burney | P: 310.825.8365 |
> | Webmaster && Programmer | E: <webmaster <email protected>> |
> | UCLA -> GSE&IS -> ETU | W: <http://www.gseis.ucla.edu/> |
> +-------------------------+---------------------------------+
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: php-general-unsubscribe <email protected>
> For additional commands, e-mail: php-general-help <email protected>
> To contact the list administrators, e-mail: php-list-admin <email protected>
>
>
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: php-general-unsubscribe <email protected> For additional commands, e-mail: php-general-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>-- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: php-general-unsubscribe <email protected> For additional commands, e-mail: php-general-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Paolo Ciraci: "Re: [PHP] #exec and php together"
- Previous message: scott [gts]: "[PHP] php serialize"
- In reply to: Chris Anderson: "Re: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]