phpMyAdmin / Feature Requests / #419 fully remove version information

#419 fully remove version information

Status: invalid

Owner: Alexander M. Turek

Labels: Security / Restrictions (23)

Priority: 1

Updated: 2015-02-07

Created: 2003-11-25

Creator: Florian Effenberger

Private: No

I would like to see an option in the configuration
files to fully remove phpMyAdmin and MySQL version
information from the GUI and the created exported files.

It is part of my security concept to NOT show anything
like that to outside users.

Discussion

Garvin Hicking - 2003-11-25

Logged In: YES
user_id=473563

Maybe you would like to contribute a patch for that? :-)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Florian Effenberger - 2003-11-25

Logged In: YES
user_id=240337

Now if I only was a programmer ;)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alexander M. Turek - 2003-11-25

milestone: 284147 -->

assigned_to: nobody --> rabus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Alexander M. Turek - 2003-11-25

Logged In: YES
user_id=418833

Sorry, but I really don't see any sense in your request.

First of all, I did not understand why it is more secure not to
display MySQL / phpMyAdmin version information.
If someone could really do harmful stuff with that information,
he / she / it could still retrieve the MySQL version by typing

SELECT VERSION();

into the SQL query box. This isn't really a big secret.
We could make the parser blocking the VERSION function, but
this would be to complicated for this senseless purpose.

If you really want to hide the version numbers I'd suggest you
to hack the phpMyAdmin / MySQL code manually so that they
return junk when being asked for a version number.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Florian Effenberger - 2003-11-25

Logged In: YES
user_id=240337

No problem, it was just a suggestion :) I know views may
vary on this.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Garvin Hicking - 2003-11-25

priority: 5 --> 1

status: open --> closed-rejected
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Garvin Hicking - 2003-11-25

Logged In: YES
user_id=473563

I must agree with rabus. If you really want security through
obscurity, you are advised to take the sources of PHP,
phpMyAdmin and MySQL, fake their version string and compile
the sources.

phpMyAdmin stores its version number only in the
libraries/defines_php.lib.php file (and the documentation)
and can easily be adjusted by you.

MySQL also stores its version number in a central file, same
with PHP.

There will always be ways to get to the version number using
various commands. If you want total 'security' (which is why
you posted the request) there is no other way than to fake
version numbers, as it is the only reliable way.

Regards,
Garvin.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Brendan - 2004-02-25

Logged In: YES
user_id=722829

What I find scary is when you are trying to log into php my
admin it says Welcome to phpMyAdmin 2.5.6-rc2 - Login
This shows any one wanting to get into phpMyAdmin, even
before they get in what version it is in PLAIN TEXT.

Brendan

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Michal Čihař - 2013-06-11

Status: closed-rejected --> invalid
If you would like to refer to this comment somewhere else in this project, copy and paste the following link: