I don't know how many of you on this list are also on Bugtraq, but there
were some *very* interesting posts there this morning by Shaun Clowes.  You
can see them at:


The relevant links to look at are "A Study in Scarlet":


(SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1

I imagine that many on this list do use phpMyAdmin or phpPgAdmin so this
post is very important.

Basically, depending on configuration, any user on the web can use
phpMyAdmin to view sensitive files (/etc/passwd), etc.  There is a patch

The Study in Scarlet goes into details about other common PHP security
breaches, and a little about how to avoid them.  The problems aren't *so*
bad if you're running your own server and access is only given to a few
trusted developers.  You could probably retrain everyone to use

However, there could be a multitude of problems on hosts with multiple
virtual users.  For example, the above exploit could be used to get a list
of the users and home directories in /etc/passwd and then a malicious user
could view directory listings and file contents from another user's
directory.  That could lead to database passwords escaping and other local
users modifying your data.  And that's only the tip of the iceberg.

I look forward to seeing Rasmus, Andi, Zeev, Stig etc. respond to this.


Paul Burney

| Paul Burney             | P: 310.825.8365                 |
| Webmaster && Programmer | E: <[EMAIL PROTECTED]>   |
| UCLA -> GSE&IS -> ETU   | W: <http://www.gseis.ucla.edu/> |

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to