I don't know how many of you on this list are also on Bugtraq, but there were some *very* interesting posts there this morning by Shaun Clowes. You can see them at: http://www.securereality.com.au/archives.html The relevant links to look at are "A Study in Scarlet": http://www.securereality.com.au/studyinscarlet.txt And: (SRPRE00001) phpMyAdmin 2.1.0 and phpPgAdmin 2.2.1 http://www.securereality.com.au/srpre00001.html I imagine that many on this list do use phpMyAdmin or phpPgAdmin so this post is very important. Basically, depending on configuration, any user on the web can use phpMyAdmin to view sensitive files (/etc/passwd), etc. There is a patch available. The Study in Scarlet goes into details about other common PHP security breaches, and a little about how to avoid them. The problems aren't *so* bad if you're running your own server and access is only given to a few trusted developers. You could probably retrain everyone to use $HTTP_GET_VARS, etc. However, there could be a multitude of problems on hosts with multiple virtual users. For example, the above exploit could be used to get a list of the users and home directories in /etc/passwd and then a malicious user could view directory listings and file contents from another user's directory. That could lead to database passwords escaping and other local users modifying your data. And that's only the tip of the iceberg. I look forward to seeing Rasmus, Andi, Zeev, Stig etc. respond to this. Sincerely, Paul Burney +-------------------------+---------------------------------+ | Paul Burney | P: 310.825.8365 | | Webmaster && Programmer | E: <[EMAIL PROTECTED]> | | UCLA -> GSE&IS -> ETU | W: <http://www.gseis.ucla.edu/> | +-------------------------+---------------------------------+ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
