phpMyAdmin

Tracker: Bugs

1 (ok 2.11.5.1) Sensitive data in session files - ID: 1909711

Last Update: Settings changed ( lem9 )

Details:

Support,

How do I prevent phpMyAdmin 2.10.1 from saving the MySQL Root Password as
Plain Text in the current /tmp Session file? I have auth method cookie. I
don't store my password in the config file.

I searched the Help forum and the internet. It appears that the problem was
identified back in 2003 with version 2.5 and earlier. I could not find the
fix listed anywhere. I would upgrade if a newer version corrects this
problem.

Jim

Reference:

http://www.net-security.org/vuln.php?id=2765

****

From: Lorenzo Manuel Hernandez Garcia-Hierro <security@lorenzohgh.com>

****

SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------

.... I discover that phpMyAdmin don't encode the mysql user and password ,
it save the data in plain text without encoding !....

------------------
| INFORMATION |
| ENCODING |
| WEAKNESS |
------------------

phpMyAdmin doesn't use any encoding type like BASE64/RadiX64 , only saves
the user data ( username and password too ) in plain text without any
encoding.

The authentication token in the cookie is this:

pma_cookie_username=[UserName]; lang=[language]-iso-8859-1;
pma_cookie_password=[your password]

A sample is:

pma_cookie_username=god; lang=en-iso-8859-1;
pma_cookie_password=doesnotexist

-----------------
| SOLUTIONS ;-p |
-----------------

****
- Second: Use a partial / secure encoding for athentication tokens like
RadiX64 ( not very secure but an attacker
can think that is a more secure algorithm , obscurity ;-D ) .
****

Submitted:

Jim Hermann ( jimhermann ) - 2008-03-07 17:43

Priority:

Status:

Closed

Resolution:

Fixed

Assigned:

Marc Delisle

Category:

Security / Restrictions

Group:

None

Visibility:

Public

Comments ( 10 )

Date: 2008-03-30 20:37 Sender: lem9 "since the config.inc.php now is always loaded there is no need to have any static config data in the session file at all (IMHO)" yes, this is what I meant in my message "we could avoid storing in session everything that is in config"
Date: 2008-03-30 16:01 Sender: windkiel sorry, ignore my last post regarding "blowfish" - I only examined the $_SESSION - Array, not the file.
Date: 2008-03-30 15:42 Sender: windkiel >for example we have to get the blowfish secret from somewhere, >now that it's no longer in the session data hmm, the blowfish secret is still in the session file when you are on the welcome/login page ... since the config.inc.php now is always loaded there is no need to have any static config data in the session file at all (IMHO)
Date: 2008-03-29 15:19 Sender: lem9 We have not yet found a way to avoid this reloading (for example we have to get the blowfish secret from somewhere, now that it's no longer in the session data). With more code changes, now we could avoid storing in session everything that is in config, to keep only temporary data in session.
Date: 2008-03-29 15:12 Sender: windkiel ok, issue fixed but now config.inc.php seems to be read and stored in the session on each and every page loading (like in the old days) - is this intended/inevitable?
Date: 2008-03-29 05:00 Sender: lem9 Thanks Jim, new file uploaded with correct name and comments inside. File Added: sensitive.diff
Date: 2008-03-29 01:24 Sender: jimhermann Marc, I used your patch as guidance to modify phpMyAdmin 2.10.1 files. It works fine. Thanks. Jim BTW, the english word is sensitive (of a highly secret or delicate nature), not sensible (having good sense or sound judgment). It's a great patch by any name.
Date: 2008-03-25 18:49 Sender: lem9 Yesterday I proposed a patch to the dev team, to remove this sensible data from the session. I am waiting for their feedback. I am attaching the patch here. File Added: sensible.diff
Date: 2008-03-25 18:08 Sender: jimhermann What did you decide? Jim
Date: 2008-03-12 16:31 Sender: lem9 I marked this support request as private, we'll discuss it and come back to you. The old identified problem was about storing user and password in cookies and this was solved a long time ago by using encryption with the blowfish algorith, but you are right about the password being in clear in session data.

Attached File ( 1 )

Filename	Description	Download
sensitive.diff	sensitive.diff	Download

Changes ( 14 )

Field	Old Value	Date	By
close_date	-	2008-04-05 20:41	lem9
status_id	Open	2008-04-05 20:41	lem9
resolution_id	None	2008-03-29 15:09	lem9
summary	Sensitive data in session files	2008-03-29 15:09	lem9
priority	5	2008-03-29 15:09	lem9
summary	MySQL Root Password as Plain Text in Session Files	2008-03-29 05:32	lem9
is_private	1	2008-03-29 05:32	lem9
File Added	272337: sensitive.diff	2008-03-29 05:00	lem9
File Deleted	271804:	2008-03-29 04:59	lem9
category_id	Security / Restrictions	2008-03-27 16:35	lem9
data_type	377408	2008-03-27 16:35	lem9
File Added	271804: sensible.diff	2008-03-25 18:49	lem9
is_private	0	2008-03-12 16:31	lem9
assigned_to	nobody	2008-03-12 16:31	lem9

phpMyAdmin

Tracker: Bugs

Comments ( 10 )

Attached File ( 1 )

Changes ( 14 )

About SourceForge

Find Software

Develop Software

Community

Help