hi chris,
server is running
mysql and php are working perfekt on all the servers
the correct url is
http://www.mydomain.com/phpMyAdmin/sql.php?server=000cfgServers[000][host]=
hellobtnDrop=Nogoto=/etc/passwd
and we tried that exploid now on 10 different dedicated servers
all with default phpMyAdmin istallation [ advanced authentication ]
[ freebsd // linux ]
but all of them still ask for authentication
so we are just worried that we do something wrong
or the url specifeid is wrong
thank yuo
andreas
- Original Message -
From: Chris Anderson [EMAIL PROTECTED]
To: Paul Burney [EMAIL PROTECTED]; andreas (@work)
[EMAIL PROTECTED]
Cc: php mailing list 2 [EMAIL PROTECTED]
Sent: Tuesday, July 03, 2001 6:40 PM
Subject: Re: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues
btw, that error looks more like a mysql setup / runtime problem. IE..is the
server running?
- Original Message -
From: Paul Burney [EMAIL PROTECTED]
To: andreas (@work) [EMAIL PROTECTED]
Cc: php mailing list 2 [EMAIL PROTECTED]
Sent: Tuesday, July 03, 2001 11:51 AM
Subject: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues
on 7/3/01 5:47 AM, andreas (@work) ([EMAIL PROTECTED]) wrote:
ive got 3 servers (dedicated) with mysql 3.22.32 and above and
phpMyAdmin
2.1.0 but i cant reproduce the vulnerability
i use advanced uthentication
http://ip/phpMyAdmin/sql.php?server=000cfgServers[000][host]=hellobtnDrop=N
ogoto=/etc/passwd
If that URL is copied correctly, it might be because there's no
between
the server=000 and the cfgServers[000][host].
If not, maybe your particular configuration isn't vulnerable.
If you use a Apache Auth for access to the folder and normal auth in
phpmyadmin, you are not vulnerable to outsiders but *you* can still view a
server's sensitive files which can be really dangerous in a shared server
environment.
Sincerely,
Paul Burney
+-+-+
| Paul Burney | P: 310.825.8365 |
| Webmaster Programmer | E: [EMAIL PROTECTED] |
| UCLA - GSEIS - ETU | W: http://www.gseis.ucla.edu/ |
+-+-+
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]