Storing 'currentDB' in the session as just an index is dangerous
Originally reported on Google Code with ID 67
What steps will reproduce the problem?
1. Set $directory to scan for databases in a folder with databases
2. Make the first database current.
3. Copy it or another database (on the filesystem) to "aaaaa.db" (alphabetically first)
What is the expected output? What do you see instead?
I expected the first database to remain current but suddenly aaaaa.db has become current.
Very dangerous.
What version of the product are you using? On what operating system?
Version 1.8.9
Please provide any additional information below.
The problem is that $_SESSION[COOKIENAME.'currentDB'] is only an index in an array
that gets dynamically repopulated on every refresh.
This is especially dangerous when an application in the background dynamically creates
databases.
If the currentDB would store the database name it would be much safer.
Reported by jos.grootlipman
on 2011-10-31 20:39:10
Comments (4)
-
-
Account Deleted ``` If I create the database with the phpliteadmin interface I surely want it to become the current one.
However in my case the database is created outside phpliteadmin by *another* process or user. Phpliteadmin does not 'know' this and suddenly makes it current if (and only if) it comes alphabetically before the current one.
As for dangerous: suppose my current database is the first one in the list. I go to the 'Delete database' screen and take a coffee break. In the mean time another process (or user) adds another database by the name aaaaa.db. Now when *I* press 'Confirm' not *my* current database will be deleted but the first one, 'aaaaa.db' ```
Reported by `jos.grootlipman` on 2011-10-31 22:43:36
-
I really agree to you. This is a serious problem that, as you say, could lead to data loss for example. I'll fix it soon.
Reported by
crazy4chrissi
on 2012-10-22 22:11:16 - Labels added: Priority-Critical - Labels removed: Priority-Medium -
Fixed this issue with revision #241. Instead of the array-index, I now store the complete array-element in the session. When switching DBs, I now use the DB-path, which also fixes issue #68 for free. Note that you still can only access DBs that are defined in $databases. This means that this fix does not open a security issue that would allow a user to access any DB. If you give a path to a DB that is not in $databases, the change is simply ignored. You can try the latest SVN version: http://phpliteadmin.googlecode.com/svn/source/1.9.3/phpliteadmin.php
Reported by
crazy4chrissi
on 2012-10-23 22:20:35 - Status changed:Fixed
- Log in to comment
``` This is intended behavior. When you create a new database, chances are, you will want to manage that database immediately after. Right? How is this "very dangerous"? ```
Reported by `diracleo` on 2011-10-31 22:24:17 - Status changed: `Accepted`