btw, that error looks more like a mysql setup / runtime problem. IE..is the
server running?
----- Original Message -----
From: "Paul Burney" <[EMAIL PROTECTED]>
To: "andreas (@work)" <[EMAIL PROTECTED]>
Cc: "php mailing list 2" <[EMAIL PROTECTED]>
Sent: Tuesday, July 03, 2001 11:51 AM
Subject: [PHP] Re: [PHP-DB] PhpMyAdmin phpPgAdmin Security Issues
> on 7/3/01 5:47 AM, andreas (@work) ([EMAIL PROTECTED]) wrote:
>
> > ive got 3 servers (dedicated) with mysql 3.22.32 and above and
phpMyAdmin
> > 2.1.0 but i cant reproduce the vulnerability
>
> > i use advanced uthentication
>
> >
http://ip/phpMyAdmin/sql.php?server=000cfgServers[000][host]=hello&btnDrop=N
> > o&goto=/etc/passwd
>
> If that URL is copied correctly, it might be because there's no "&"
between
> the server=000 and the cfgServers[000][host].
>
> If not, maybe your particular configuration isn't vulnerable.
>
> If you use a Apache Auth for access to the folder and normal auth in
> phpmyadmin, you are not vulnerable to outsiders but *you* can still view a
> server's sensitive files which can be really dangerous in a shared server
> environment.
>
> Sincerely,
>
> Paul Burney
>
> +-------------------------+---------------------------------+
> | Paul Burney | P: 310.825.8365 |
> | Webmaster && Programmer | E: <[EMAIL PROTECTED]> |
> | UCLA -> GSE&IS -> ETU | W: <http://www.gseis.ucla.edu/> |
> +-------------------------+---------------------------------+
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
