Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb:
Sebastian Mendel a écrit :
Marc Delisle schrieb: > Welcome to phpMyAdmin 2.11.5, a bugfix-only version containing a > security fix. > > Security announcement: > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1 > > The release notes and download info are available on > http://www.phpmyadmin.net. > > Marc Delisle, for the team. a big german IT news site (heise.de) has reported about our latest release, but find fault that the description is unclear what exactly the problem is
possible we should add the term used by stefan esser: "Delayed Cross Site Request Forgery"
and explain: another application could set a cookie for the root path '/' which could override phpMyAdmins _GET or _POST params, f.e. a cookie called sql_query would always overwrite the user submitted sql_query, caused by the fact PHP imports (be dafault) first GET than POST than COOKIE
In such security announcements, it's not always clear what is better for the whole community: provide a quasi-exploit or stay vague... I chose to stay vague.
yes, i understand, but looking at the patch will reveal to most of them whats going on, at least the people with enough knowledge, and the 'bad guys' usually have enough knowledge and time to investigate, and the good guys are lacking the time ... or?
usually only the big closed source players do not tell what exactly was fixed ...
Now that the explanation is on the phpmyadmin-devel list, I'll update the PMASA.
ups, this was not my aim, i did not want to overhelm you or impose it
i really just wanted to discuss this and fully respect your decisions as release manager and admin (and personal)!
Is the updated PMASA-2008-1 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
appropriate for you
yes, thank you
and the big German IT news site?
i think so ... i am not in contact with them, it is just what say wrote in their article