on 7/3/01 5:47 AM, andreas (@work) ([EMAIL PROTECTED]) wrote:
> ive got 3 servers (dedicated) with mysql 3.22.32 and above and phpMyAdmin
> 2.1.0 but i cant reproduce the vulnerability
> i use advanced uthentication
> http://ip/phpMyAdmin/sql.php?server=000cfgServers[000][host]=hello&btnDrop=N
> o&goto=/etc/passwd
If that URL is copied correctly, it might be because there's no "&" between
the server=000 and the cfgServers[000][host].
If not, maybe your particular configuration isn't vulnerable.
If you use a Apache Auth for access to the folder and normal auth in
phpmyadmin, you are not vulnerable to outsiders but *you* can still view a
server's sensitive files which can be really dangerous in a shared server
environment.
Sincerely,
Paul Burney
+-------------------------+---------------------------------+
| Paul Burney | P: 310.825.8365 |
| Webmaster && Programmer | E: <[EMAIL PROTECTED]> |
| UCLA -> GSE&IS -> ETU | W: <http://www.gseis.ucla.edu/> |
+-------------------------+---------------------------------+
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]