[Phpmyadmin-devel] phpMyAdmin 2.11.5 and security announcement

Sebastian Mendel lists at sebastianmendel.de
Mon Mar 3 16:06:36 CET 2008

Marc Delisle schrieb:
> Sebastian Mendel a écrit :
>> Marc Delisle schrieb:
>>> Sebastian Mendel a écrit :
>>>> Marc Delisle schrieb:
>>>>> Welcome to phpMyAdmin 2.11.5, a bugfix-only version containing a 
>>>>> security fix.
>>>>> Security announcement: 
>>>>> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
>>>>> The release notes and download info are available on
>>>>> http://www.phpmyadmin.net.
>>>>> Marc Delisle, for the team.
>>>> a big german IT news site (heise.de) has reported about our latest release, 
>>>> but find fault that the description is unclear what exactly the problem is
>>>> possible we should add the term used by stefan esser: "Delayed Cross Site 
>>>> Request Forgery"
>>>> and explain: another application could set a cookie for the root path '/' 
>>>> which could override phpMyAdmins _GET or _POST params, f.e. a cookie called 
>>>> sql_query would always overwrite the user submitted sql_query, caused by the 
>>>> fact PHP imports (be dafault) first GET than POST than COOKIE
>>> In such security announcements, it's not always clear what is better for 
>>> the whole community: provide a quasi-exploit or stay vague... I chose to 
>>> stay vague.
>> yes, i understand, but looking at the patch will reveal to most of them 
>> whats going on, at least the people with enough knowledge, and the 'bad 
>> guys' usually have enough knowledge and time to investigate, and the good 
>> guys are lacking the time ... or?
>> usually only the big closed source players do not tell what exactly was 
>> fixed ...
> Now that the explanation is on the phpmyadmin-devel list, I'll update 
> the PMASA.

ups, this was not my aim, i did not want to overhelm you or impose it

i really just wanted to discuss this and fully respect your decisions as 
release manager and admin (and personal)!


More information about the Developers mailing list