I forget what the thread was, and also who asked/responded about the mysql + php admin tool(s), but there is a very good thread going on about this and security on the bugtraq mail list right now, for those who may be concerned. www.securityfocus.com The thread has not made it to the website yet, it seems, but I imagine it will be updated soon. Here's a mid-thread post I thought was interesting. HTH, Cindy -- "We apologize for the inconvenience." Marvin says, "I think I feel good about it." The lights went out in his eyes for absolutely the very last time ever." --Douglas Adams (1951-2001) ---------- Forwarded message ---------- Date: Tue, 31 Jul 2001 17:16:17 -0400 From: Mark Renouf <[EMAIL PROTECTED]> To: Carl Livitt <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Subject: Re: New command execution vulnerability in myPhpAdmin Carl Livitt wrote: >--/ Product: phpMyAdmin versions <= 2.2.0rc3 >--/ Problem: Arbitrary remote command execution >--/ Severity: High >--/ Author: Carl Livitt (carl AT ititc DOT com) >--/ Date: 31 July 2001 > This isn't so much a problem with phpMyAdmin as it is with PHP in general. I would HIGHLY recommend turning off register_globals in php.ini (which is the default in set in php.ini-dist for php4+). With that option disabled, the only thing that passing in extra parameters can do is create entries in the $HTTP_GET_VARS array, and it's not possible to clobber global script variables. I tested this with my installation of phpMyAdmin 2.1.0 and it is not vulnerable to the attack that you described, due to the settings I mentioned above.
