phpmyadmin can easily be attacked by brute force.
a simple protection would be, if login to phpmyadmin would be forbidden for 1 minute after 5 wrong loginattempts.
loginattempts can be stored stored in the session, cookie or pma-tables (or all three)
Logged In: YES
user_id=334647
Originator: YES
i will try to program a ssmall patch, that does the job now....
Logged In: YES
user_id=334647
Originator: YES
i will try to program a ssmall patch, that does the job now....
Logged In: YES
user_id=334647
Originator: YES
this is the patch, if you use cookie authentication:
open the file
/libraries/auth/cookie.auth.lib.php
search for 'function PMA_auth_fails()' (around line 583)
replace this:
//-------------------------
PMA_auth();
} // end of the 'PMA_auth_fails()' function
//-------------------------
with:
//-------------------------
// patch to block brute force attacks
// by Ruben Barkow (rubo77) http://entikey.z11.de
if(!empty($_SESSION['login failure'])) {
$login_failure_blocktime=60; // time in s within passwordattempts are blocked
$logins_failed=0;
foreach($_SESSION['login failure'] as $timestamp){
if($timestamp+$login_failure_blocktime>time()) $logins_failed++;
}
}
if($logins_failed>=5) {
die('too many attempts!');
}
// store login failure in session:
$_SESSION['login failure'][]=time();
// end of brute force patch
PMA_auth();
} // end of the 'PMA_auth_fails()' function
//-------------------------
works for me,
i guess for the other auth-methods it will be similar
Logged In: YES
user_id=210714
Originator: NO
Let's close this, as you submitted a patch in the patch tracker and we can discuss it there.
ok,
here:
https://sourceforge.net/tracker/index.php?func=detail&aid=1978305&group_id=23067&atid=377410