Re: phpMyAdmin security

Subject: Re: phpMyAdmin security
tcv@ninjatech.cjb.net
Date: Fri Aug 15 2003 - 11:00:15 AKDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Damien Hull: "spam filters"
• Previous message: Tim Jordan, Network Services: "Re: java and the browser"
• Maybe in reply to: Barsalou: "phpMyAdmin security"
• Maybe reply: tcv@ninjatech.cjb.net: "Re: phpMyAdmin security"
• Reply: tcv@ninjatech.cjb.net: "Re: phpMyAdmin security"

>
>
> Looks like all I had to do what set the authentication type to http and
> it used the mysql user database as my authentication database. This is
> set in the config.inc.php file
>
> So if I have an mysql user call 'mike' with a password, I would just use
> that to access phpmyadmin. I think it will also only let me access
> those things in the mysql database to which the mike user is granted
> access to.
>

 
The prefered authentication method for phpmyadmin was by cookie,
#From config.inc.php
$cfgServers[1]['controluser'] = 'pma';
$cfgServers[1]['controlpass'] = '$l4t3d,f0x0n-p4tr0l';
$cfgServers[1]['auth_type'] = 'cookie';

Until several cross site scripting vulns were discovered recently.
Several of the scripts didn't validate user input.
sql.php / sql.php3,pdf_schema.php,pdf_pages.php,ldi_table.php
mult_submits.inc.php, db_datadict.php, db_printview.php
read_dump.php

As of 2.5.2-dev , all passwords are encrypted via blowfish
algorithm, a far better choice than cookie authentication.

If you are using an older version than 2.5.2-dev , upgrade
and create an .htaccess like so in the pma directory

<IfModule mod_ssl.c>
  SSLRequireSSL
</IfModule>
<IfModule !mod_ssl.c>
  Redirect /phpmyadmin
    https://localhost/phpmyadmin
</IfModule>

where localhost is your fqdn.

Also , it may be germane to note that there has been a directory traversal vulnerability reported in
/db_details_importdocsql.php?submit_show=true&do=import&docpath=../../../

that reportedly affects all versions including the latest, although
the phpmyadmin developers deny this.

Another consideration is PMA's security history which can be reviewed by typing in "phpmyadmin exploit" at google.com

To be fair, almost all php based web administration packages (php-nuke, post-nuke, phpbb) have horrid security histories that make the headache of keeping up with the bugs outweigh their convenience (IMO).

If you are looking for a content management system with a decent security model , I would reccomend OpenCMS.

http://www.opencms.org/opencms/en/

If you still decide to run phpmyadmin at least change it somewhere other than the default directory in your httpd tree as well as the above, as this will cut down on a high percentage of unskilled attackers.

Cheers,
        Security Grinch

---------------------------------------------------------------------
pub 1024D/6F04299B 2003-08-10 T.C.V. (Postatem obscuri lateris nescitis) <tcv@ninjatech.cjb.net>
Key fingerprint = 2E8F 57BF 31FC 1344 7BB3 2D08 AB33 1185 6F04 299B
sub 2048g/431F3112 2003-08-10 [expires: 2004-08-09]
---------------------------------------------------------------------

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.

• Next message: Damien Hull: "spam filters"
• Previous message: Tim Jordan, Network Services: "Re: java and the browser"
• Maybe in reply to: Barsalou: "phpMyAdmin security"
• Maybe reply: tcv@ninjatech.cjb.net: "Re: phpMyAdmin security"
• Reply: tcv@ninjatech.cjb.net: "Re: phpMyAdmin security"

This archive was generated by hypermail 2a23 : Fri Aug 15 2003 - 11:00:18 AKDT