
 SQL Injecting PhpMyAdmin - ajbatac
http://www.0x000000.com/?i=587
======
jonknee
Not real likely to be attacked, since they would not only need to know the
database name, but the address of the PHPMyAdmin install. But hopefully it's
addressed quickly.

~~~
gaika
How about 127.0.0.1?

~~~
jonknee
I don't have PHPMyAdmin installed locally, I use GUI client. And you also
don't know the name of my databases. As I said, I hope it gets addressed
quickly, but I just don't see it very likely that this will be exploited
whatsoever.

------
sapphirecat
Now if the title was "CSRF against PhpMyAdmin" then it would make more sense.
Given that PMA has a form dedicated to letting you run arbitrary SQL
statements, the fact that it allows arbitrary statements to be run is not
news.

------
thenotself
CSRF attacks are weak. You'd have to know my website's phpMyAdmin location (if
I used phpMyAdmin) and my table names in order to do this. CSRF attacks are
only scary when they effect major websites.

~~~
simonw
CSRF attacks are strong. I can write an attack that tries dozens of different
potential combinations of URL and table names just as easily as I can attack
one.

Not to mention that many people use their web host's one-click install tool
which always puts scripts like phpMyAdmin in the same place.

~~~
jonknee
But you still need to know the address of the site. You'd need to create a new
attack site for every victim. And then lure the victim there after they had
just been in PHPMyAdmin. Not exactly like a CSRF in Facebook or something.

It should definitely be fixed, but it really is a weak attack.

------
flupkear
the solution is simple, give access to your database only to people you trust
and don´t access to your super important database from a public location using
phpMyAdmin!

~~~
rcoder
Actually, the solution is not to _ever_ use phpMyAdmin on a public web server.
Just like Webmin, and every other tool that has god-like power over critical
system resources, it should be on a private IP, accessible only from trusted
systems via an encrypted, strongly-authenticated channel.

~~~
jrockway
This doesn't help. If you use the same web browser for using phpMyAdmin that
you use for visiting the attacker's site, you're hacked.

~~~
rcoder
"Strongly-encrypted channel" basically means VPN in my book. If the phpMyAdmin
server isn't on a publicly-routable IP, and you don't have the VPN tunnel open
when you aren't using the secure host, then it will in fact defeat CSRF.

