#3324 (ok 3.4.2) version disclosure to anonymous visitors

3.4.1
fixed
Marc Delisle
1
2013-06-11
2011-05-26
Lux In Tenebris
No

Previous versions haven't disclosed phpMA version number right in the title of the login page. This could be a security issue, providing potential attackers with useful information.
The fix is quite trivial:
--- /usr/share/phpmyadmin/libraries/common.lib.php~ 2011-05-20 21:24:04.000000000 +0400
+++ /usr/share/phpmyadmin/libraries/common.lib.php 2011-05-26 22:34:07.046076504 +0400
@@ -2853,7 +2853,7 @@
$vars['server_verbose_or_name'] = !empty($GLOBALS['cfg']['Server']['verbose']) ? $GLOBALS['cfg']['Server']['verbose'] : $GLOBALS['cfg']['Server']['host'];
$vars['database'] = $GLOBALS['db'];
$vars['table'] = $GLOBALS['table'];
- $vars['phpmyadmin_version'] = 'phpMyAdmin ' . PMA_VERSION;
+ $vars['phpmyadmin_version'] = 'phpMyAdmin';

/* Update forced variables */
foreach($updates as $key => $val) {

Discussion

  • Hmm, it seems I was rash and it's too strict fix removing phpMA version number from anywhere.
    It would be much wiser to fix libraries/header_scripts.inc.php in the place where it composes a title text, add some kind of authenticated user check.

     
  • Marc Delisle
    Marc Delisle
    2011-05-30

    • assigned_to: nobody --> lem9
     
  • Marc Delisle
    Marc Delisle
    2011-06-02

    • priority: 5 --> 1
    • summary: version disclosure to anonymous visitors --> (ok 3.4.2) version disclosure to anonymous visitors
    • status: open --> open-fixed
     
  • Marc Delisle
    Marc Delisle
    2011-06-02

    This bug was fixed in repository and will be part of a future release; thanks for reporting.

     
  • Marc Delisle
    Marc Delisle
    2011-06-07

    • status: open-fixed --> closed-fixed
     
  • Michal Čihař
    Michal Čihař
    2013-06-11

    • Status: closed-fixed --> fixed