[Phpmyadmin-devel] Assuring Security by testing
Michael Osipov
ossipov at inf.fu-berlin.de
Thu May 1 12:41:33 CEST 2008
Hi devs,
I've been investigating phpMyAdmin within my Bachelor's thesis
"Application
of security test tools in open source" at the Free University of Berlin
(FU Berlin) [1].
Basically, I am looking for security measures which have been taken to
prevent security leaks/vulnerabilities especially with security test
tools
phpMyAdmin is probably the most popular MySQL web front-end.
I have searched across the homepage, wiki, the mailist list and repo.
I have noticed some things, I'd like like to remark:
A security reponse team [2] handles security vulnerabilities and patches
them immediately.
You've been sufferting quite a lot of XSS in the past [3]. You
introduced a security token.
Finally, most releases do include security fixes.
I am sure that you do anything you can to assure security.
Concluding from the XSS attacks and eventually SQL injection (from which
most php apps suffer), does this team
or any other group/person take any measures to assure security with
testing tools, with a special test plan or functional requirements?
I guess the first step would be to turn off "register_globals".
Additionally, there seems to be some great fuzzers out there for website
testing and SQL injection like Wfuzz or Absinthe.
Thanks in advance,
Michael
[1] https://www.inf.fu-berlin.de/w/SE/ThesisFOSSSecurityTools
[2] http://www.phpmyadmin.net/home_page/security.php
[3] http://wiki.cihar.com/pma/XSS
--
<NO> OOXML - Say NO To Microsoft Office broken standard
http://www.noooxml.org
More information about the Developers
mailing list