Re: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues

2001-07-03 Thread Chris Anderson 

btw, that error looks more like a mysql setup / runtime problem. IE..is the
server running?
- Original Message -
From: Paul Burney [EMAIL PROTECTED]
To: andreas (@work) [EMAIL PROTECTED]
Cc: php mailing list 2 [EMAIL PROTECTED]
Sent: Tuesday, July 03, 2001 11:51 AM
Subject: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues


 on 7/3/01 5:47 AM, andreas (@work) ([EMAIL PROTECTED]) wrote:

  ive got 3 servers (dedicated) with mysql 3.22.32 and above and
phpMyAdmin
  2.1.0 but i cant reproduce the vulnerability

  i use advanced uthentication

 
http://ip/phpMyAdmin/sql.php?server=000cfgServers[000][host]=hellobtnDrop=N
  ogoto=/etc/passwd

 If that URL is copied correctly, it might be because there's no 
between
 the server=000 and the cfgServers[000][host].

 If not, maybe your particular configuration isn't vulnerable.

 If you use a Apache Auth for access to the folder and normal auth in
 phpmyadmin, you are not vulnerable to outsiders but *you* can still view a
 server's sensitive files which can be really dangerous in a shared server
 environment.

 Sincerely,

 Paul Burney

 +-+-+
 | Paul Burney | P: 310.825.8365 |
 | Webmaster  Programmer | E: [EMAIL PROTECTED]   |
 | UCLA - GSEIS - ETU   | W: http://www.gseis.ucla.edu/ |
 +-+-+


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]




-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Re: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues

2001-07-03 Thread andreas \(@work\) 

hi chris,

server is running
mysql and php are working perfekt on all the servers


the correct url is

http://www.mydomain.com/phpMyAdmin/sql.php?server=000cfgServers[000][host]=
hellobtnDrop=Nogoto=/etc/passwd


and we tried that exploid now on  10 different dedicated servers
all with default phpMyAdmin istallation [ advanced authentication ]
[ freebsd // linux ]


but all of them still ask for authentication

so we are just worried that we do something wrong
or the url specifeid is wrong


thank yuo

andreas





- Original Message -
From: Chris Anderson [EMAIL PROTECTED]
To: Paul Burney [EMAIL PROTECTED]; andreas (@work)
[EMAIL PROTECTED]
Cc: php mailing list 2 [EMAIL PROTECTED]
Sent: Tuesday, July 03, 2001 6:40 PM
Subject: Re: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues


btw, that error looks more like a mysql setup / runtime problem. IE..is the
server running?
- Original Message -
From: Paul Burney [EMAIL PROTECTED]
To: andreas (@work) [EMAIL PROTECTED]
Cc: php mailing list 2 [EMAIL PROTECTED]
Sent: Tuesday, July 03, 2001 11:51 AM
Subject: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues


 on 7/3/01 5:47 AM, andreas (@work) ([EMAIL PROTECTED]) wrote:

  ive got 3 servers (dedicated) with mysql 3.22.32 and above and
phpMyAdmin
  2.1.0 but i cant reproduce the vulnerability

  i use advanced uthentication

 
http://ip/phpMyAdmin/sql.php?server=000cfgServers[000][host]=hellobtnDrop=N
  ogoto=/etc/passwd

 If that URL is copied correctly, it might be because there's no 
between
 the server=000 and the cfgServers[000][host].

 If not, maybe your particular configuration isn't vulnerable.

 If you use a Apache Auth for access to the folder and normal auth in
 phpmyadmin, you are not vulnerable to outsiders but *you* can still view a
 server's sensitive files which can be really dangerous in a shared server
 environment.

 Sincerely,

 Paul Burney

 +-+-+
 | Paul Burney | P: 310.825.8365 |
 | Webmaster  Programmer | E: [EMAIL PROTECTED]   |
 | UCLA - GSEIS - ETU   | W: http://www.gseis.ucla.edu/ |
 +-+-+


 --
 PHP General Mailing List (http://www.php.net/)
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 To contact the list administrators, e-mail: [EMAIL PROTECTED]




--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]



-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]