[Phpmyadmin-devel] phpMyAdmin 2.11.5 and security announcement
Sebastian Mendel
lists at sebastianmendel.de
Mon Mar 3 16:16:10 CET 2008
Marc Delisle schrieb:
> Sebastian Mendel a écrit :
>> Marc Delisle schrieb:
>>> Sebastian Mendel a écrit :
>>>> Marc Delisle schrieb:
>>>>> Sebastian Mendel a écrit :
>>>>>> Marc Delisle schrieb:
>>>>>>> Welcome to phpMyAdmin 2.11.5, a bugfix-only version containing a
>>>>>>> security fix.
>>>>>>>
>>>>>>> Security announcement:
>>>>>>> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
>>>>>>>
>>>>>>> The release notes and download info are available on
>>>>>>> http://www.phpmyadmin.net.
>>>>>>>
>>>>>>> Marc Delisle, for the team.
>>>>>> a big german IT news site (heise.de) has reported about our latest release,
>>>>>> but find fault that the description is unclear what exactly the problem is
>>>>>>
>>>>>> possible we should add the term used by stefan esser: "Delayed Cross Site
>>>>>> Request Forgery"
>>>>>>
>>>>>> and explain: another application could set a cookie for the root path '/'
>>>>>> which could override phpMyAdmins _GET or _POST params, f.e. a cookie called
>>>>>> sql_query would always overwrite the user submitted sql_query, caused by the
>>>>>> fact PHP imports (be dafault) first GET than POST than COOKIE
>>>>>>
>>>>> In such security announcements, it's not always clear what is better for
>>>>> the whole community: provide a quasi-exploit or stay vague... I chose to
>>>>> stay vague.
>>>> yes, i understand, but looking at the patch will reveal to most of them
>>>> whats going on, at least the people with enough knowledge, and the 'bad
>>>> guys' usually have enough knowledge and time to investigate, and the good
>>>> guys are lacking the time ... or?
>>>>
>>>> usually only the big closed source players do not tell what exactly was
>>>> fixed ...
>>> Now that the explanation is on the phpmyadmin-devel list, I'll update
>>> the PMASA.
>> ups, this was not my aim, i did not want to overhelm you or impose it
>>
>> i really just wanted to discuss this and fully respect your decisions as
>> release manager and admin (and personal)!
>>
> Is the updated PMASA-2008-1
> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
>
> appropriate for you
yes, thank you
> and the big German IT news site?
i think so ... i am not in contact with them, it is just what say wrote in
their article
--
Sebastian
More information about the Developers
mailing list