Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Fix sql injection in user exists request
Signed-off-by: William Desportes <williamdes@wdes.fr>
- Loading branch information
c86acbf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any reason this isn't using a parameterized query?
c86acbf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@IanRobertson-wpe Yes, prepared statement where implemented in #15492
c86acbf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good Luck to the besta Team β₯
is 5.0.1 is beta or stable cuz i`t was wrote -> Version information: 5.0.1, ((latest stable version: 4.9.4))
c86acbf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@phpreza Because of #15860 the "current version" was incorrectly displayed with phpMyAdmin 5.0.0 and 5.0.1. That should be fixed with the next release, which will be 5.0.2.
c86acbf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@williamdes Is there a specific reason, that the serverity of this vulnerability is "serious"? Is it because of the "phpMyAdmin configuration storage", since this injection concerns the mysql control connection?
c86acbf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@zeront4e I'm not sure I follow the purpose of your question; are you asking because you think it should be downgraded to "moderate" or something similar? Because the attacker needs access to the server, it could be argued that this is not severe, but we felt that the possibility of exploiting this in a shared hosting environment justified the serious rating.
I don't believe this has to do with the control user or phpMyAdmin configuration storage.
It could be that we're talking about two different things, but
c86acbf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ibennetch Thank you for the answer! I'm just investigating the vulnerability as part of my computer science studies. We tried to exploit the vulnerability in practice (in an isolated environment). To achieve that it is necessary to gain additional privileges in a multi-user environment.
We just noticed that phpMyAdmin executes queries with the user credentials, provided on the login page, when using HTTP- or cookie-based authentication. Because of that it seemed hard to "exploit" the vulnerability, particularly without modifying phpMyAdmin.
The security policy of phpMyAdmin states that SQL injections are serious if they concern "the mysql control connection", which could lead to additional privileges. So we weren't sure if we missed some important information to gain higher privileges, especially by using this SQL injection vulnerability.
That's the reason for my previous question. :)
c86acbf
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I see; that makes sense. There is no further escalation involved and it doesn't exploit the control user, we just (somewhat arbitrarily) felt that was an appropriate severity for such a report. Good luck with your studies.