Re: [Phpmyadmin-devel] phpMyAdmin 2.11.5 and security announcement

Marc Delisle schrieb: > Sebastian Mendel a écrit : >> Marc Delisle schrieb: >>> Welcome to phpMyAdmin 2.11.5, a bugfix-only version containing a >>> security fix. >>> >>> Security announcement: >>> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1 >>> >>> The release notes and download info are available on >>> http://www.phpmyadmin.net. >>> >>> Marc Delisle, for the team. >> a big german IT news site (heise.de) has reported about our latest release, >> but find fault that the description is unclear what exactly the problem is >> >> possible we should add the term used by stefan esser: "Delayed Cross Site >> Request Forgery" >> >> and explain: another application could set a cookie for the root path '/' >> which could override phpMyAdmins _GET or _POST params, f.e. a cookie called >> sql_query would always overwrite the user submitted sql_query, caused by the >> fact PHP imports (be dafault) first GET than POST than COOKIE >> > In such security announcements, it's not always clear what is better for > the whole community: provide a quasi-exploit or stay vague... I chose to > stay vague. yes, i understand, but looking at the patch will reveal to most of them whats going on, at least the people with enough knowledge, and the 'bad guys' usually have enough knowledge and time to investigate, and the good guys are lacking the time ... or? usually only the big closed source players do not tell what exactly was fixed ...