#2653 (ok 2.11.5.1) Sensitive data in session files

fixed
Marc Delisle
1
2013-06-11
2008-03-07
Jim Hermann
No

Support,

How do I prevent phpMyAdmin 2.10.1 from saving the MySQL Root Password as Plain Text in the current /tmp Session file? I have auth method cookie. I don't store my password in the config file.

I searched the Help forum and the internet. It appears that the problem was identified back in 2003 with version 2.5 and earlier. I could not find the fix listed anywhere. I would upgrade if a newer version corrects this problem.

Jim

Reference:

http://www.net-security.org/vuln.php?id=2765

****

From: Lorenzo Manuel Hernandez Garcia-Hierro <security@lorenzohgh.com>

****

SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

.... I discover that phpMyAdmin don't encode the mysql user and password , it save the data in plain text without encoding !....

------------------
| INFORMATION |
| ENCODING |
| WEAKNESS |
------------------

phpMyAdmin doesn't use any encoding type like BASE64/RadiX64 , only saves the user data ( username and password too ) in plain text without any encoding.

The authentication token in the cookie is this:

pma_cookie_username=[UserName]; lang=[language]-iso-8859-1;
pma_cookie_password=[your password]

A sample is:

pma_cookie_username=god; lang=en-iso-8859-1;
pma_cookie_password=doesnotexist

-----------------
| SOLUTIONS ;-p |
-----------------

****
- Second: Use a partial / secure encoding for athentication tokens like RadiX64 ( not very secure but an attacker
can think that is a more secure algorithm , obscurity ;-D ) .
****

Discussion

  • Marc Delisle
    Marc Delisle
    2008-03-12

    Logged In: YES
    user_id=210714
    Originator: NO

    I marked this support request as private, we'll discuss it and come back to you.
    The old identified problem was about storing user and password in cookies and this was solved a long time ago by using encryption with the blowfish algorith, but you are right about the password being in clear in session data.

     
  • Marc Delisle
    Marc Delisle
    2008-03-12

    • assigned_to: nobody --> lem9
     
  • Jim Hermann
    Jim Hermann
    2008-03-25

    Logged In: YES
    user_id=1560474
    Originator: YES

    What did you decide?

    Jim

     
  • Marc Delisle
    Marc Delisle
    2008-03-25

    Logged In: YES
    user_id=210714
    Originator: NO

    Yesterday I proposed a patch to the dev team, to remove this sensible data from the session. I am waiting for their feedback. I am attaching the patch here.
    File Added: sensible.diff

     
  • Marc Delisle
    Marc Delisle
    2008-03-27

    • labels: 509109 --> Security / Restrictions
     
  • Jim Hermann
    Jim Hermann
    2008-03-29

    Logged In: YES
    user_id=1560474
    Originator: YES

    Marc,

    I used your patch as guidance to modify phpMyAdmin 2.10.1 files. It works fine.

    Thanks.

    Jim

    BTW, the english word is sensitive (of a highly secret or delicate nature), not sensible (having good sense or sound judgment). It's a great patch by any name.

     
  • Marc Delisle
    Marc Delisle
    2008-03-29

    sensitive.diff

     
    Attachments
  • Marc Delisle
    Marc Delisle
    2008-03-29

    Logged In: YES
    user_id=210714
    Originator: NO

    Thanks Jim,
    new file uploaded with correct name and comments inside.
    File Added: sensitive.diff

     
  • Marc Delisle
    Marc Delisle
    2008-03-29

    • summary: MySQL Root Password as Plain Text in Session Files --> Sensitive data in session files
     
  • Marc Delisle
    Marc Delisle
    2008-03-29

    • priority: 5 --> 1
    • summary: Sensitive data in session files --> (ok 2.11.5.1) Sensitive data in session files
    • status: open --> open-fixed
     
  • Jürgen Wind
    Jürgen Wind
    2008-03-29

    Logged In: YES
    user_id=1383652
    Originator: NO

    ok,
    issue fixed but now config.inc.php seems to be read and stored in the session on each and every page loading (like in the old days) - is this intended/inevitable?

     
  • Marc Delisle
    Marc Delisle
    2008-03-29

    Logged In: YES
    user_id=210714
    Originator: NO

    We have not yet found a way to avoid this reloading (for example we have to get the blowfish secret from somewhere, now that it's no longer in the session data).

    With more code changes, now we could avoid storing in session everything that is in config, to keep only temporary data in session.

     
  • Jürgen Wind
    Jürgen Wind
    2008-03-30

    Logged In: YES
    user_id=1383652
    Originator: NO

    >for example we have to get the blowfish secret from somewhere,
    >now that it's no longer in the session data

    hmm,
    the blowfish secret is still in the session file when you are on the welcome/login page ...

    since the config.inc.php now is always loaded there is no need to have *any* static config data in the session file at all (IMHO)

     
  • Jürgen Wind
    Jürgen Wind
    2008-03-30

    Logged In: YES
    user_id=1383652
    Originator: NO

    sorry,
    ignore my last post regarding "blowfish" - I only examined the $_SESSION - Array, not the file.

     
  • Marc Delisle
    Marc Delisle
    2008-03-30

    Logged In: YES
    user_id=210714
    Originator: NO

    "since the config.inc.php now is always loaded there is no need to have
    *any* static config data in the session file at all (IMHO)"

    yes, this is what I meant in my message "we could avoid storing in session everything that is in config"

     
  • Marc Delisle
    Marc Delisle
    2008-04-05

    • status: open-fixed --> closed-fixed
     
  • Michal Čihař
    Michal Čihař
    2013-06-11

    • Status: closed-fixed --> fixed