[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Re: [cobalt-users] PHPMYADMIN ... and security

Subject: [cobalt-security] Re: [cobalt-users] PHPMYADMIN ... and security
From: QX Hosting <info@xxxxxxxxxxxx>
Date: Sat, 22 Sep 2001 00:51:19 +0200
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

   Unfortunately, it's not, in a way. I found that if a user has PHPMyAdmin
installed in his/her directory, there's a config file with the username and
password to be able to access the database. Any user on the same machine can
read that config file using perl and gain access to another user's database.
So PHPMyAdmin may be easy to use, it's also easy to ABUSE. I've been able to
access other people's databases, with ease, not being the siteadmin for that
virtual site. All I needed was one simple perl script and an account on the
same machine. My advice is to always keep the config file offline except for
those moments when you actually need it. I don't know if this sounds stupid
to any of you, I've just started working with Cobalt appliances myself,
after having my sites hosted on Raq3 and Raq4's for 18 months. So I'm sure
there are better ways to protect a users database from others on the same
machine.

   Anyway, the method I described here also counts for ALL other files on
the server. I can view password files (whether readable or not, that's
besides the point), I can retrieve a list of all the sites on the server, I
can also access directories normally protected by passwords. (When accessed
by a web browser.) I don't know, maybe it's a bug, but it seems like I have
at least read access to all areas as long as perl can reach them. Of course
looking at the example I mentioned above, I need to have a copy of
PHPMyAdmin installed in my directory and a copy of the other user's config,
but it's possible. I've not tried anything beyond this point, but who knows
what's possible??? I could read other people's mail, possibly guess their
siteadmin password based on their username, using the name of their mail
directory as a starting point... Could it be group permissions? Would a user
be able to access my files, because that file has group read permission?

Who would like to comment on this?

QX Hosting

21-09-2001 20:21 Cobalt mailing List, cobaltlist@xxxxxxxxxxx wrote:

> Taco has just added a great piece of software to our Raq4, PHP MYADMIN.
> This is a very simple GUI tool to add, edit and generally keep track of
> MYSQL daqtabases.
> 
> I have not used MYSQL much but this looks like a very easy to manage
> system. Anything which makes my life easier has to be a good thing!
>

Prev by Date: Re: SV: [cobalt-security] urgent question
Next by Date: Re: [cobalt-security] about cd .. command can change home directory up to root server
Previous by thread: RE: [cobalt-security] How secure are RAQ's out of the box?
Next by thread: [cobalt-security] NIMDA Question

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index