possible mysql/phpmyadmin exploit

S

sde

Verified User
Joined
Sep 11, 2004
Messages
214
Location
Temecula, CA
A user reported to me today that they were able to create a database from phpmyadmin.

after some investigating, here is what i found.

for the example, the username is abc. database abc_123 already exists.

from phpmyadmin, the user can create a new database with the same name except replacing the underscore with any other character.

example:
abc0123
abc?123
abc!123

the 123 database for abc already must exist. no more than 1 character can be in between abc and 123.

can anyone else confirm this on their system?
 
thanks. as mentioned in those posts, although anyone with knowledge and skill could do this, hidding it is what i prefer.

my quick fix was to open main.php and add the following line below the MySQL Server Related Links area. line 298 in version 2.6.0
PHP: 
$is_create_priv = false;
 
ok, so the script idea is probably best. i just setup this php script on a cron job to send me an email if there is an invalid db name.

this doesn't autmatically take into consideration for admins with databases, so i will have to add them manually as i did the mysql and test.

am i paranoid? :D

PHP: 
<?
$users = array();
include("includes/httpsocket.php");
include("includes/connect.php");
$sock = new HTTPSocket;  
$sock->connect('1.2.3.4',2222);
$sock->set_login('admin','123456');
$sock->query('/CMD_API_SHOW_ALL_USERS');
$users=$sock->fetch_parsed_body();

// add mysql & test to array
$users['list'][]="mysql";
$users['list'][]="test";

$result = mysql_query("show databases");
while($row = mysql_fetch_array($result)){
  $array = explode("_",$row[0]);
  $user = $array[0];
  
  if(!in_array($user,$users['list'])){
    $message = "invalid db: ".$row[0];
    mail("[email protected]", "Invalid Database", $message);
  }
}
mysql_close();
?>
 
You must log in or register to reply here.
Back
Top