[Phpmyadmin-devel] Assuring Security by testing

Michael Osipov ossipov at inf.fu-berlin.de
Thu May 1 12:41:33 CEST 2008

Hi devs,

I've been investigating phpMyAdmin within my Bachelor's thesis
of security test tools in open source" at the Free University of Berlin
(FU Berlin) [1].
Basically, I am looking for security measures which have been taken to
prevent security leaks/vulnerabilities especially with security test

phpMyAdmin is probably the most popular MySQL web front-end.

I have searched across the homepage, wiki, the mailist list and repo.
I have noticed some things, I'd like like to remark:

A security reponse team [2] handles security vulnerabilities and patches 
them immediately.
You've been sufferting quite a lot of XSS in the past [3]. You 
introduced a security token.
Finally, most releases do include security fixes.

I am sure that you do anything you can to assure security.

Concluding from the XSS attacks and eventually SQL injection (from which 
most php apps suffer), does this team
or any other group/person take any measures to assure security with
testing tools, with a special test plan or functional requirements?

I guess the first step would be to turn off "register_globals". 
Additionally, there seems to be some great fuzzers out there for website 
testing and SQL injection like Wfuzz or Absinthe.

Thanks in advance,


[1] https://www.inf.fu-berlin.de/w/SE/ThesisFOSSSecurityTools
[2] http://www.phpmyadmin.net/home_page/security.php
[3] http://wiki.cihar.com/pma/XSS
<NO> OOXML - Say NO To Microsoft Office broken standard

More information about the Developers mailing list