May 2008 - Developers - lists.phpmyadmin.net

Re: [Phpmyadmin-devel] [Phpmyadmin-cvs] DisableIS in
by Marc Delisle 07 May '08

07 May '08

Yes, there are security issues, see our security page on phpmyadmin.net. The full date for implementing this is unknown. By the way, do you have triggers? If not you could just disable this part of the code to avoid this query. -----Original Message----- From: Rekrutacja <rekrutacja119(a)gmail.com> To: phpmyadmin-cvs(a)lists.sourceforge.net Date: Tue, 06 May 2008 14:55:32 +0200 Subject: Re: [Phpmyadmin-cvs] [Phpmyadmin-devel] DisableIS in yes, but you said 'so I merged the change and the doc reference' , and then asked me if it is faster now, so i assumed you changed something. anyways, it didn't help, and yes, i have many many databases. i'm using latest 2.6 pma branch now to avoid it, is there any security issues with this old pma? does DisableIS is going to be implemented fully soon? Marc Delisle wrote: > I think Sebastian answered previously that the DisableIS setting is not fully implemented. Also, please provide more information: do you have a large number of databases/tables? > > -----Original Message----- > From: Rekrutacja <rekrutacja119(a)gmail.com> > To: phpmyadmin-cvs(a)lists.sourceforge.net > Date: Mon, 05 May 2008 16:29:48 +0200 > Subject: Re: [Phpmyadmin-cvs] [Phpmyadmin-devel] DisableIS in > >>>>> The EVENT_OBJECT_SCHEMA seems to always have the same content as >>>>> TRIGGER_SCHEMA, but I just noticed that in the MySQL manual they >>>>> suggest using TRIGGER_SCHEMA in the WHERE clause as you suggested, >>>>> so I merged the change and the doc reference (for version 2.11.7) >>>>> >>>>> http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/QA_2_11/ph… >>>>> >>>>> Rekrutacja, is it faster this way on your server? >>>> i've tried latest 3.0-dev version, from svn (did checkout just few >>>> minutes ago), and it is still slow. >>>> >>>> Query | 30 | checking permissions | SELECT TRIGGER_SCHEMA, >>>> TRIGGER_NAME, EVENT_MANIPULATION, ACTION_TIMING, ACTION_STATEMENT, >>>> EVENT_OBJECT_SCHEMA, EVENT_OBJECT_TABLE FROM information_schema.TRIGGERS >>>> WHERE TRIGGER_SCHEMA= 'test99' and EVENT_OBJECT_TABLE = 'phpbb2_confirm' >>> whats your MySQL server version? >>> >>> >> 5.0.51a-3 , from debian package >> >> > > so, any news? my server is still affected, i've tried latest 3.0 > version, snapshot from 5th may, and it is still happening. > > got this for example: > > Query | 37 | checking permissions | SELECT TRIGGER_SCHEMA, > TRIGGER_NAME, EVENT_MANIPULATION, ACTION_TIMING, ACTION_STATEMENT, > EVENT_OBJECT_SCHEMA, EVENT_OBJECT_TABLE FROM information_schema.TRIGGERS > WHERE TRIGGER_SCHEMA= 'test99' and EVENT_OBJECT_TABLE = > 'phpbb_poll_options' | > > > i suppose it's turned on, the only place i see this options is > libraries/config.default.php > > # grep DisableIS libraries/config.default.php > $cfg['Servers'][$i]['DisableIS'] = true; > # > > so i suppose it's enough. > > why it's not working? > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/java… > _______________________________________________ > Phpmyadmin-cvs mailing list > Phpmyadmin-cvs(a)lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/phpmyadmin-cvs > > > > ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/java… _______________________________________________ Phpmyadmin-cvs mailing list Phpmyadmin-cvs(a)lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-cvs

1 0

Re: [Phpmyadmin-devel] [Phpmyadmin-cvs] DisableIS in
by Marc Delisle 05 May '08

05 May '08

I think Sebastian answered previously that the DisableIS setting is not fully implemented. Also, please provide more information: do you have a large number of databases/tables? -----Original Message----- From: Rekrutacja <rekrutacja119(a)gmail.com> To: phpmyadmin-cvs(a)lists.sourceforge.net Date: Mon, 05 May 2008 16:29:48 +0200 Subject: Re: [Phpmyadmin-cvs] [Phpmyadmin-devel] DisableIS in >>>> >>>> The EVENT_OBJECT_SCHEMA seems to always have the same content as >>>> TRIGGER_SCHEMA, but I just noticed that in the MySQL manual they >>>> suggest using TRIGGER_SCHEMA in the WHERE clause as you suggested, >>>> so I merged the change and the doc reference (for version 2.11.7) >>>> >>>> http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/QA_2_11/ph… >>>> >>>> Rekrutacja, is it faster this way on your server? >>> >>> i've tried latest 3.0-dev version, from svn (did checkout just few >>> minutes ago), and it is still slow. >>> >>> Query | 30 | checking permissions | SELECT TRIGGER_SCHEMA, >>> TRIGGER_NAME, EVENT_MANIPULATION, ACTION_TIMING, ACTION_STATEMENT, >>> EVENT_OBJECT_SCHEMA, EVENT_OBJECT_TABLE FROM information_schema.TRIGGERS >>> WHERE TRIGGER_SCHEMA= 'test99' and EVENT_OBJECT_TABLE = 'phpbb2_confirm' >> >> whats your MySQL server version? >> >> > > 5.0.51a-3 , from debian package > > so, any news? my server is still affected, i've tried latest 3.0 version, snapshot from 5th may, and it is still happening. got this for example: Query | 37 | checking permissions | SELECT TRIGGER_SCHEMA, TRIGGER_NAME, EVENT_MANIPULATION, ACTION_TIMING, ACTION_STATEMENT, EVENT_OBJECT_SCHEMA, EVENT_OBJECT_TABLE FROM information_schema.TRIGGERS WHERE TRIGGER_SCHEMA= 'test99' and EVENT_OBJECT_TABLE = 'phpbb_poll_options' | i suppose it's turned on, the only place i see this options is libraries/config.default.php # grep DisableIS libraries/config.default.php $cfg['Servers'][$i]['DisableIS'] = true; # so i suppose it's enough. why it's not working? ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/java… _______________________________________________ Phpmyadmin-cvs mailing list Phpmyadmin-cvs(a)lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-cvs

1 0

[Phpmyadmin-devel] secure session through hash_bits_per_character?
by Thijs Kinkhorst 01 May '08

01 May '08

Hi, At Debian we've gotten a bug report which I'm quoting below. Basically, the user has hashing of his sessions dir, but this is appearently broken by the following bit of code that phpMyAdmin employs in session.php: // use more secure session ids (with PHP 5) if (version_compare(PHP_VERSION, '5.0.0', 'ge') && substr(PHP_OS, 0, 3) != 'WIN') { ini_set('session.hash_function', 1); ini_set('session.hash_bits_per_character', 6); } As I understand it, only the first option actually changes the security, as it increases the number of bits in the algorithm. Changing the hash_bits_per_character option only changes the style of the session hash names, not their security. Yet, "hard" overriding this second option causes trouble for sysadmins that have enabled hashing of their session dir as in the quoted bug report. I see no real reason to hardcode the bits_per_character option, as the only thing it does is make te ID's a bit shorter, but they're not human readable anyway... Is there a reason why bits_per_character is hardcoded, or could it be removed? thanks, Thijs === begin quote === Enabling hashing session files to directories[1] with default php configuration requires creating a directory hierarchy[2] for them. Phpmyadmin enforces different session names[3] than configured by sysadmin, but does use default directory and hashing depth. So if sysadmin creates hierarchy for his session naming scheme, phpmyadmin will fail creating (some) of the session files because no directories [G-Zg-z] (and maybe more?) exist in the directory tree. IMO phpmyadmin should honor session settings in the main php.ini or allow this behaviour to be configured by debconf (along with its own session directory). [1] accomplished by setting session.save_path="2;/var/lib/php5" in /etc/php5/apache2/php.ini - session name: sess_a1765f9b22bc2e2c2b672f4ab34a3199 - is stored as /var/lib/php5/a/1/sess_a1765f9b22bc2e2c2b672f4ab34a3199 [2] with default php setting sessions are hashed to hex-digit directories (session.hash_bits_per_character = 4) [3] /usr/share/phpmyadmin/libraries/session.inc.php:66 [in 2.9.1.1 -TK] === end quote ===

2 2

[Phpmyadmin-devel] Assuring Security by testing
by Michael Osipov 01 May '08

01 May '08

Hi devs, I've been investigating phpMyAdmin within my Bachelor's thesis "Application of security test tools in open source" at the Free University of Berlin (FU Berlin) [1]. Basically, I am looking for security measures which have been taken to prevent security leaks/vulnerabilities especially with security test tools phpMyAdmin is probably the most popular MySQL web front-end. I have searched across the homepage, wiki, the mailist list and repo. I have noticed some things, I'd like like to remark: A security reponse team [2] handles security vulnerabilities and patches them immediately. You've been sufferting quite a lot of XSS in the past [3]. You introduced a security token. Finally, most releases do include security fixes. I am sure that you do anything you can to assure security. Concluding from the XSS attacks and eventually SQL injection (from which most php apps suffer), does this team or any other group/person take any measures to assure security with testing tools, with a special test plan or functional requirements? I guess the first step would be to turn off "register_globals". Additionally, there seems to be some great fuzzers out there for website testing and SQL injection like Wfuzz or Absinthe. Thanks in advance, Michael [1] https://www.inf.fu-berlin.de/w/SE/ThesisFOSSSecurityTools [2] http://www.phpmyadmin.net/home_page/security.php [3] http://wiki.cihar.com/pma/XSS -- <NO> OOXML - Say NO To Microsoft Office broken standard http://www.noooxml.org

1 0