Hi devs,
I've been investigating phpMyAdmin within my Bachelor's thesis "Application of security test tools in open source" at the Free University of Berlin (FU Berlin) [1]. Basically, I am looking for security measures which have been taken to prevent security leaks/vulnerabilities especially with security test tools
phpMyAdmin is probably the most popular MySQL web front-end.
I have searched across the homepage, wiki, the mailist list and repo. I have noticed some things, I'd like like to remark:
A security reponse team [2] handles security vulnerabilities and patches them immediately. You've been sufferting quite a lot of XSS in the past [3]. You introduced a security token. Finally, most releases do include security fixes.
I am sure that you do anything you can to assure security.
Concluding from the XSS attacks and eventually SQL injection (from which most php apps suffer), does this team or any other group/person take any measures to assure security with testing tools, with a special test plan or functional requirements?
I guess the first step would be to turn off "register_globals". Additionally, there seems to be some great fuzzers out there for website testing and SQL injection like Wfuzz or Absinthe.
Thanks in advance,
Michael
[1] https://www.inf.fu-berlin.de/w/SE/ThesisFOSSSecurityTools [2] http://www.phpmyadmin.net/home_page/security.php [3] http://wiki.cihar.com/pma/XSS