[Phpmyadmin-devel] phpMyAdmin 2.11.5 and security announcement
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Mon Mar 3 16:09:01 CET 2008
Sebastian Mendel a écrit :
> Marc Delisle schrieb:
>> Sebastian Mendel a écrit :
>>> Marc Delisle schrieb:
>>>> Sebastian Mendel a écrit :
>>>>> Marc Delisle schrieb:
>>>>>> Welcome to phpMyAdmin 2.11.5, a bugfix-only version containing a
>>>>>> security fix.
>>>>>>
>>>>>> Security announcement:
>>>>>> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
>>>>>>
>>>>>> The release notes and download info are available on
>>>>>> http://www.phpmyadmin.net.
>>>>>>
>>>>>> Marc Delisle, for the team.
>>>>> a big german IT news site (heise.de) has reported about our latest release,
>>>>> but find fault that the description is unclear what exactly the problem is
>>>>>
>>>>> possible we should add the term used by stefan esser: "Delayed Cross Site
>>>>> Request Forgery"
>>>>>
>>>>> and explain: another application could set a cookie for the root path '/'
>>>>> which could override phpMyAdmins _GET or _POST params, f.e. a cookie called
>>>>> sql_query would always overwrite the user submitted sql_query, caused by the
>>>>> fact PHP imports (be dafault) first GET than POST than COOKIE
>>>>>
>>>> In such security announcements, it's not always clear what is better for
>>>> the whole community: provide a quasi-exploit or stay vague... I chose to
>>>> stay vague.
>>> yes, i understand, but looking at the patch will reveal to most of them
>>> whats going on, at least the people with enough knowledge, and the 'bad
>>> guys' usually have enough knowledge and time to investigate, and the good
>>> guys are lacking the time ... or?
>>>
>>> usually only the big closed source players do not tell what exactly was
>>> fixed ...
>> Now that the explanation is on the phpmyadmin-devel list, I'll update
>> the PMASA.
>
> ups, this was not my aim, i did not want to overhelm you or impose it
>
> i really just wanted to discuss this and fully respect your decisions as
> release manager and admin (and personal)!
>
Is the updated PMASA-2008-1
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
appropriate for you and the big German IT news site?
Marc
More information about the Developers
mailing list