[Phpmyadmin-devel] chorizo and phpMyAdmin

[cand. inf. Alexander M. Turek]

Hi Sebastian, Marc, Björn & list,

Marc Delisle schrieb:
> Sebastian Mendel a écrit :
>> Hi,
>>
>> i asked Björn Schotte (CEO Mayflower GmbH) if it would be possible to 'scan'
>> phpMyAdmin for vulnerabilities using chorizo (for free)
>>
>> he said yes if they could publish some case study, press release or
>> something similar
>>
>>
>> Marc? do you think this is possible?
> 
> Yes. Let's hope we have some free time to fix the issues!

I think, that this is a good idea. Scanners like Chorizo are helpful,
but unfortunately people who want to hack a php application are able to
use them too. This is why we probably should know about vulnerabilities
those scanners will find. The mayflower guys showed me Chorizo a couple
of times at the php conferences and it looked pretty good. I haven't
used it myself yet, though.

Scanning phpMyAdmin once with the full version of Chorizo would be a
good thing to do - as long as Björn waits with the publication of his
case study/press release until the vulnerabilities found have been
fixed. And if you would need some additional manpower for the fixing,
I'll be at your service. :-)

But as the development goes on, it is likely, that new vulnerabilities
find their way into phpMyAdmin. So, some agreement that allows the team
to at least scan betas and RCs of planned major releases would be way
more helpful, imho. Unfortunately, a Chorizo license is unaffordable for
open source projects like phpMyAdmin, that don't have a big company in
the background. :-/

Anyway, there is also a free version. Let's give that one a try.

Regards,

Alexander

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20071112/2621655b/attachment.sig>