phptest-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Phptest-users] MySQL 4.0, wierd bug, security hole?


From: Dan Kegel
Subject: [Phptest-users] MySQL 4.0, wierd bug, security hole?
Date: Tue, 02 Sep 2003 08:24:07 -0700
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624

pair.com just upgraded to MySQL 4.0, I think, and this
may have broken phptest.  (I'm still using phpTest 0.6.1,
since I'm afraid that if I update, I'll lose all my
painfully-typed-in questions).

Anyone else notice problems with MySQL 4.0?  Here are the symptoms:

A user reported that my phptest installation was broken
(he registered, but was told that "no tests were available"),
so I tried it.  Sure enough, new users don't see any tests.
But I stumbled on an interesting bug.  After adding the user
and logging in, I then clicked 'Back' a few times, and up
popped a confused adduser page, *while logged in as the test user!*

The URL was
http://www.kegel.com/phptest/add_user.php?PHPSESSID=956a70e2332d7dd1b036a9dd87f8e4f2

The page contents:

Left column:

Hello Joe User

Change password
View test results
Log out

Right column:

You can use the form below to add a user account. Username and password are 
required fields, all the others are not.

        
Warning: Invalid argument supplied for foreach() in 
/usr/www/users/dank/kegel/phptest/include/functions.inc.php on line 265

Warning: Invalid argument supplied for foreach() in 
/usr/www/users/dank/kegel/phptest/include/functions.inc.php on line 450

Warning: Invalid argument supplied for foreach() in 
/usr/www/users/dank/kegel/phptest/include/functions.inc.php on line 265

Desired username:


Password:


Confirm password:


Email address


Real Name


Groups this user belongs to:
Science Class
Math Class
English Class
History Class
Spanish Class
Economics Class
visitors

Select the skill levels which this user will have permission to add, edit and 
delete questions and tests from.
make
gcc
unix commands


Select the groups which this user will have permission to add, edit and delete 
users from.
Science Class
Math Class
English Class
History Class
Spanish Class
Economics Class
visitors

--
Dan Kegel
http://www.kegel.com
http://counter.li.org/cgi-bin/runscript/display-person.cgi?user=78045





reply via email to

[Prev in Thread] Current Thread [Next in Thread]