PDA

View Full Version : possible mysql/phpmyadmin exploit


sde
11-23-2004, 01:45 PM
A user reported to me today that they were able to create a database from phpmyadmin.

after some investigating, here is what i found.

for the example, the username is abc. database abc_123 already exists.

from phpmyadmin, the user can create a new database with the same name except replacing the underscore with any other character.

example:
abc0123
abc?123
abc!123

the 123 database for abc already must exist. no more than 1 character can be in between abc and 123.

can anyone else confirm this on their system?
jmstacey
11-23-2004, 03:07 PM
Yes, I can confirm it. I posted this problem a couple of months ago. ;)

Here is that thread:
http://directadmin.com/forum/showthread.php?s=&threadid=4283

Another possible phpmyadmin problem thread: http://directadmin.com/forum/showthread.php?s=&threadid=4961&highlight=phpmyadmin
sde
11-23-2004, 03:37 PM
thanks. as mentioned in those posts, although anyone with knowledge and skill could do this, hidding it is what i prefer.

my quick fix was to open main.php and add the following line below the MySQL Server Related Links area. line 298 in version 2.6.0

$is_create_priv = false;
jmstacey
11-23-2004, 03:47 PM
It can probably also be done through the command line if ssh is enabled.
sde
11-23-2004, 04:20 PM
ok, so the script idea is probably best. i just setup this php script on a cron job to send me an email if there is an invalid db name.

this doesn't autmatically take into consideration for admins with databases, so i will have to add them manually as i did the mysql and test.

am i paranoid? :D


<?
$users = array();
include("includes/httpsocket.php");
include("includes/connect.php");
$sock = new HTTPSocket;
$sock->connect('1.2.3.4',2222);
$sock->set_login('admin','123456');
$sock->query('/CMD_API_SHOW_ALL_USERS');
$users=$sock->fetch_parsed_body();

// add mysql & test to array
$users['list'][]="mysql";
$users['list'][]="test";

$result = mysql_query("show databases");
while($row = mysql_fetch_array($result)){
$array = explode("_",$row[0]);
$user = $array[0];

if(!in_array($user,$users['list'])){
$message = "invalid db: ".$row[0];
mail("admin@mydomain.com", "Invalid Database", $message);
}
}
mysql_close();
?>