Yes, there are security issues, see our security page on phpmyadmin.net.
The full date for implementing this is unknown.
By the way, do you have triggers? If not you could just disable this part of the code to avoid this query.
-----Original Message-----
From: Rekrutacja <rekrutacja119(a)gmail.com>
To: phpmyadmin-cvs(a)lists.sourceforge.net
Date: Tue, 06 May 2008 14:55:32 +0200
Subject: Re: [Phpmyadmin-cvs] [Phpmyadmin-devel] DisableIS in
yes, but you said 'so I merged the change and the doc reference' , and
then asked me if it is faster now, so i assumed you changed something.
anyways, it didn't help, and yes, i have many many databases.
i'm using latest 2.6 pma branch now to avoid it, is there any security
issues with this old pma?
does DisableIS is going to be implemented fully soon?
Marc Delisle wrote:
> I think Sebastian answered previously that the DisableIS setting is not fully implemented. Also, please provide more information: do you have a large number of databases/tables?
>
> -----Original Message-----
> From: Rekrutacja <rekrutacja119(a)gmail.com>
> To: phpmyadmin-cvs(a)lists.sourceforge.net
> Date: Mon, 05 May 2008 16:29:48 +0200
> Subject: Re: [Phpmyadmin-cvs] [Phpmyadmin-devel] DisableIS in
>
>>>>> The EVENT_OBJECT_SCHEMA seems to always have the same content as
>>>>> TRIGGER_SCHEMA, but I just noticed that in the MySQL manual they
>>>>> suggest using TRIGGER_SCHEMA in the WHERE clause as you suggested,
>>>>> so I merged the change and the doc reference (for version 2.11.7)
>>>>>
>>>>> http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/QA_2_11/ph…
>>>>>
>>>>> Rekrutacja, is it faster this way on your server?
>>>> i've tried latest 3.0-dev version, from svn (did checkout just few
>>>> minutes ago), and it is still slow.
>>>>
>>>> Query | 30 | checking permissions | SELECT TRIGGER_SCHEMA,
>>>> TRIGGER_NAME, EVENT_MANIPULATION, ACTION_TIMING, ACTION_STATEMENT,
>>>> EVENT_OBJECT_SCHEMA, EVENT_OBJECT_TABLE FROM information_schema.TRIGGERS
>>>> WHERE TRIGGER_SCHEMA= 'test99' and EVENT_OBJECT_TABLE = 'phpbb2_confirm'
>>> whats your MySQL server version?
>>>
>>>
>> 5.0.51a-3 , from debian package
>>
>>
>
> so, any news? my server is still affected, i've tried latest 3.0
> version, snapshot from 5th may, and it is still happening.
>
> got this for example:
>
> Query | 37 | checking permissions | SELECT TRIGGER_SCHEMA,
> TRIGGER_NAME, EVENT_MANIPULATION, ACTION_TIMING, ACTION_STATEMENT,
> EVENT_OBJECT_SCHEMA, EVENT_OBJECT_TABLE FROM information_schema.TRIGGERS
> WHERE TRIGGER_SCHEMA= 'test99' and EVENT_OBJECT_TABLE =
> 'phpbb_poll_options' |
>
>
> i suppose it's turned on, the only place i see this options is
> libraries/config.default.php
>
> # grep DisableIS libraries/config.default.php
> $cfg['Servers'][$i]['DisableIS'] = true;
> #
>
> so i suppose it's enough.
>
> why it's not working?
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/java…
> _______________________________________________
> Phpmyadmin-cvs mailing list
> Phpmyadmin-cvs(a)lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-cvs
>
>
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/java…
_______________________________________________
Phpmyadmin-cvs mailing list
Phpmyadmin-cvs(a)lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-cvs
I think Sebastian answered previously that the DisableIS setting is not fully implemented. Also, please provide more information: do you have a large number of databases/tables?
-----Original Message-----
From: Rekrutacja <rekrutacja119(a)gmail.com>
To: phpmyadmin-cvs(a)lists.sourceforge.net
Date: Mon, 05 May 2008 16:29:48 +0200
Subject: Re: [Phpmyadmin-cvs] [Phpmyadmin-devel] DisableIS in
>>>>
>>>> The EVENT_OBJECT_SCHEMA seems to always have the same content as
>>>> TRIGGER_SCHEMA, but I just noticed that in the MySQL manual they
>>>> suggest using TRIGGER_SCHEMA in the WHERE clause as you suggested,
>>>> so I merged the change and the doc reference (for version 2.11.7)
>>>>
>>>> http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/QA_2_11/ph…
>>>>
>>>> Rekrutacja, is it faster this way on your server?
>>>
>>> i've tried latest 3.0-dev version, from svn (did checkout just few
>>> minutes ago), and it is still slow.
>>>
>>> Query | 30 | checking permissions | SELECT TRIGGER_SCHEMA,
>>> TRIGGER_NAME, EVENT_MANIPULATION, ACTION_TIMING, ACTION_STATEMENT,
>>> EVENT_OBJECT_SCHEMA, EVENT_OBJECT_TABLE FROM information_schema.TRIGGERS
>>> WHERE TRIGGER_SCHEMA= 'test99' and EVENT_OBJECT_TABLE = 'phpbb2_confirm'
>>
>> whats your MySQL server version?
>>
>>
>
> 5.0.51a-3 , from debian package
>
>
so, any news? my server is still affected, i've tried latest 3.0
version, snapshot from 5th may, and it is still happening.
got this for example:
Query | 37 | checking permissions | SELECT TRIGGER_SCHEMA,
TRIGGER_NAME, EVENT_MANIPULATION, ACTION_TIMING, ACTION_STATEMENT,
EVENT_OBJECT_SCHEMA, EVENT_OBJECT_TABLE FROM information_schema.TRIGGERS
WHERE TRIGGER_SCHEMA= 'test99' and EVENT_OBJECT_TABLE =
'phpbb_poll_options' |
i suppose it's turned on, the only place i see this options is
libraries/config.default.php
# grep DisableIS libraries/config.default.php
$cfg['Servers'][$i]['DisableIS'] = true;
#
so i suppose it's enough.
why it's not working?
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/java…
_______________________________________________
Phpmyadmin-cvs mailing list
Phpmyadmin-cvs(a)lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-cvs
Hi,
At Debian we've gotten a bug report which I'm quoting below. Basically, the
user has hashing of his sessions dir, but this is appearently broken by the
following bit of code that phpMyAdmin employs in session.php:
// use more secure session ids (with PHP 5)
if (version_compare(PHP_VERSION, '5.0.0', 'ge')
&& substr(PHP_OS, 0, 3) != 'WIN') {
ini_set('session.hash_function', 1);
ini_set('session.hash_bits_per_character', 6);
}
As I understand it, only the first option actually changes the security, as it
increases the number of bits in the algorithm. Changing the
hash_bits_per_character option only changes the style of the session hash
names, not their security.
Yet, "hard" overriding this second option causes trouble for sysadmins that
have enabled hashing of their session dir as in the quoted bug report. I see
no real reason to hardcode the bits_per_character option, as the only thing
it does is make te ID's a bit shorter, but they're not human readable
anyway...
Is there a reason why bits_per_character is hardcoded, or could it be removed?
thanks,
Thijs
=== begin quote ===
Enabling hashing session files to directories[1] with default php
configuration requires creating a directory hierarchy[2] for them.
Phpmyadmin enforces different session names[3] than configured by
sysadmin, but does use default directory and hashing depth. So if
sysadmin creates hierarchy for his session naming scheme, phpmyadmin
will fail creating (some) of the session files because no directories
[G-Zg-z] (and maybe more?) exist in the directory tree.
IMO phpmyadmin should honor session settings in the main php.ini or
allow this behaviour to be configured by debconf (along with its own
session directory).
[1] accomplished by setting session.save_path="2;/var/lib/php5" in
/etc/php5/apache2/php.ini
- session name: sess_a1765f9b22bc2e2c2b672f4ab34a3199
- is stored as /var/lib/php5/a/1/sess_a1765f9b22bc2e2c2b672f4ab34a3199
[2] with default php setting sessions are hashed to hex-digit
directories (session.hash_bits_per_character = 4)
[3] /usr/share/phpmyadmin/libraries/session.inc.php:66 [in 2.9.1.1 -TK]
=== end quote ===
Hi devs,
I've been investigating phpMyAdmin within my Bachelor's thesis
"Application
of security test tools in open source" at the Free University of Berlin
(FU Berlin) [1].
Basically, I am looking for security measures which have been taken to
prevent security leaks/vulnerabilities especially with security test
tools
phpMyAdmin is probably the most popular MySQL web front-end.
I have searched across the homepage, wiki, the mailist list and repo.
I have noticed some things, I'd like like to remark:
A security reponse team [2] handles security vulnerabilities and patches
them immediately.
You've been sufferting quite a lot of XSS in the past [3]. You
introduced a security token.
Finally, most releases do include security fixes.
I am sure that you do anything you can to assure security.
Concluding from the XSS attacks and eventually SQL injection (from which
most php apps suffer), does this team
or any other group/person take any measures to assure security with
testing tools, with a special test plan or functional requirements?
I guess the first step would be to turn off "register_globals".
Additionally, there seems to be some great fuzzers out there for website
testing and SQL injection like Wfuzz or Absinthe.
Thanks in advance,
Michael
[1] https://www.inf.fu-berlin.de/w/SE/ThesisFOSSSecurityTools
[2] http://www.phpmyadmin.net/home_page/security.php
[3] http://wiki.cihar.com/pma/XSS
--
<NO> OOXML - Say NO To Microsoft Office broken standard
http://www.noooxml.org