[Phpmyadmin-devel] phpMyAdmin 2.11.5 and security announcement

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Mon Mar 3 15:48:28 CET 2008


Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>> Sebastian Mendel a écrit :
>>> Marc Delisle schrieb:
>>>> Welcome to phpMyAdmin 2.11.5, a bugfix-only version containing a 
>>>> security fix.
>>>>
>>>> Security announcement: 
>>>> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
>>>>
>>>> The release notes and download info are available on
>>>> http://www.phpmyadmin.net.
>>>>
>>>> Marc Delisle, for the team.
>>> a big german IT news site (heise.de) has reported about our latest release, 
>>> but find fault that the description is unclear what exactly the problem is
>>>
>>> possible we should add the term used by stefan esser: "Delayed Cross Site 
>>> Request Forgery"
>>>
>>> and explain: another application could set a cookie for the root path '/' 
>>> which could override phpMyAdmins _GET or _POST params, f.e. a cookie called 
>>> sql_query would always overwrite the user submitted sql_query, caused by the 
>>> fact PHP imports (be dafault) first GET than POST than COOKIE
>>>
>> In such security announcements, it's not always clear what is better for 
>> the whole community: provide a quasi-exploit or stay vague... I chose to 
>> stay vague.
> 
> yes, i understand, but looking at the patch will reveal to most of them 
> whats going on, at least the people with enough knowledge, and the 'bad 
> guys' usually have enough knowledge and time to investigate, and the good 
> guys are lacking the time ... or?
> 
> usually only the big closed source players do not tell what exactly was 
> fixed ...

Now that the explanation is on the phpmyadmin-devel list, I'll update 
the PMASA.





More information about the Developers mailing list