#405 block brute force attacks patch

[Ruben Barkow-Kuder]

phpmyadmin can easily be attacked by brute force.

this simple protection will block pma for
1 minute after 5 wrong loginattempts.
see also: https://sourceforge.net/tracker/index.php?func=detail&aid=1975401&group_id=23067&atid=377411

open the file
/libraries/auth/cookie.auth.lib.php

search for 'function PMA_auth_fails()' (around line 583)

replace this:
//-------------------------
PMA_auth();
} // end of the 'PMA_auth_fails()' function
//-------------------------

with:
//-------------------------

// patch to block brute force attacks
// by Ruben Barkow (rubo77) http://entikey.z11.de
if(!empty($_SESSION['login failure'])) {
$login_failure_blocktime=60; // time in s within passwordattempts are
blocked
$logins_failed=0;
foreach($_SESSION['login failure'] as $timestamp){
if($timestamp+$login_failure_blocktime>time())
$logins_failed++;
}
}
if($logins_failed>=5) {
die('too many attempts!');
}
// store login failure in session:
$_SESSION['login failure'][]=time();
// end of brute force patch

PMA_auth();
} // end of the 'PMA_auth_fails()' function
//-------------------------

[Marc Delisle]

Logged In: YES
user_id=210714
Originator: NO

I'm not sure this would be effective, as the attacker just has to close all windows of his browser to start a new session.

[Ruben Barkow-Kuder]

Logged In: YES
user_id=334647
Originator: YES

at least this is a stone in the way of a potential attacker. the attacker can only try 5 times a minute with these settings. i think if you have to close and reopen a new firefox session, you also need quite long.

an improvement would be:
if pma tables is enabled, then we could store the ip of the attacker in the database to prevent it from reopening a new session.

or is it complicated to store the loginfailure-count in the cookie?
if you only enable the cookie login, then the user HAS TO accept cookies and if the cookie also tracks the loginfailures this would be a better protection also.

[Sebastian Mendel]

Logged In: YES
user_id=326580
Originator: NO

cookies (and therefore session) can easily deleted by the attacker, he does not need to use a browser to do the attack - this will help nothing, as long as phpMyAdmin cannot store IP or some other identification permanently and client independent

so this could only be done with another table in phpMyAdmin database

[Marc Delisle]

Logged In: YES
user_id=210714
Originator: NO

I agree with cybot_tm. I want to add that we'll have to block brute-force attacks also from http auth_type.

[Ruben Barkow-Kuder]

Logged In: YES
user_id=334647
Originator: YES

I also agree with cybot_tm.
so will you add it with another table in the phpMyAdmin database?

i still think, my small patch should be added, cause it serves as a tiny protection, not against "hackers" but against incompetent snoopy customers, that have pma-access on your server.

[Sebastian Mendel]

Logged In: YES
user_id=326580
Originator: NO

we could also start a "log" session with a forced session id, before we start the real session,

so we could log logins in the forced session, and switch to real session when succeed

btw. the forced session can also be used to store a random generated "secret password" for encryption of the cookie, if not set in config.inc.php

[Marc Delisle]

Logged In: YES
user_id=210714
Originator: NO

Ruben,
for better manageability of the code base, I prefer to have just one mechanism for brute-force attacks. You named this "brute-force protection" so it's supposed to be against real hackers.

Sebastian, I'll try to explore further your idea of a log session; but storing the "secret password" in session data is not recommended.

[Ruben Barkow-Kuder]

1. i have a simple solution:
to prevent someone from bruteforcing the root password, you could completely disable root login directly into phpmyadmin

there must be a superuser defined in the config file, that is allowed to log in as root, so you would first have to log in as this user and from there into the root account

2. another solution would be that there has to be configured a second password in the config file, that must be entered additionally if you want to login as root

[Ruben Barkow-Kuder]

as my phpmyadmin is attacked a lot these days, i really need a solution fast.

at least if
$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
is enabled, it would be easy to log failed loginattempts.

if a user has 10 failed attempts, disable pma for this user for 10 minutes, that would suffice to blog all brute force attacks.

[Ruben Barkow-Kuder]

here is a patch that logs the loginattempts in the phpmyadmin database in a new table:

open the file
/libraries/auth/cookie.auth.lib.php

1.
search for this block (around line 449):
//--------------------------------------------------
if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
$GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) {
$GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
}
// begin brute force patch
// store logintrial:
myUserLoginHistory($GLOBALS['PHP_AUTH_USER'],$GLOBALS['PHP_AUTH_PW'], 1);
// end brute force patch
return true;
}
//--------------------------------------------------

and replace with:
//--------------------------------------------------
if (! empty($_REQUEST['pma_username'])) {
// The user just logged in
$GLOBALS['PHP_AUTH_USER'] = $_REQUEST['pma_username'];
$GLOBALS['PHP_AUTH_PW'] = empty($_REQUEST['pma_password']) ? '' : $_REQUEST['pma_password'];
if ($GLOBALS['cfg']['AllowArbitraryServer'] && isset($_REQUEST['pma_servername'])) {
$GLOBALS['pma_auth_server'] = $_REQUEST['pma_servername'];
}
// begin brute force patch
// store logintrial:
myUserLoginHistory($GLOBALS['PHP_AUTH_USER'],$GLOBALS['PHP_AUTH_PW'], 1);
// end brute force patch
return true;
}
//--------------------------------------------------

2.
go to the end of the file and replace this:
//--------------------------------------------------
header('Pragma: no-cache');

PMA_auth();
} // end of the 'PMA_auth_fails()' function
?>
//--------------------------------------------------

with:
//--------------------------------------------------

header('Pragma: no-cache');

// begin patch to block brute force attacks
// by Ruben Barkow (rubo77) http://entikey.z11.de
myUserLoginHistory($GLOBALS['PHP_AUTH_USER'],$GLOBALS['PHP_AUTH_PW'], 0);
// end of brute force patch

PMA_auth();
} // end of the 'PMA_auth_fails()' function

/**
* patch to block brute force attacks
* by Ruben Barkow (rubo77) http://entikey.z11.de
*
* creates a database for the login history, that logs every luser login and failures
* after 10 failures it will block that user login for 5 minutes
*
* stores every login status, (failed or success)
*/
function myUserLoginHistory($user, $pass, $status)
{
if(empty($GLOBALS['cfg']['Server']['pmadb'])){
echo "Please activate<br> \$cfg['Servers'][\$i]['controluser'] = 'pma';<br>
\$cfg['Servers'][\$i]['controlpass'] = 'yourpass';<br>
and <br>\$cfg['Servers'][\$i]['pmadb'] = 'phpmyadmin';<br>
in your config.inc.php<br>";
die;
}
if (!$g_link = mysql_connect($GLOBALS['cfg']['Server']['host'], $GLOBALS['cfg']['Server']['controluser'], $GLOBALS['cfg']['Server']['controlpass'])) die('no connection! ' . mysql_error());
mysql_select_db($GLOBALS['cfg']['Server']['pmadb'], $g_link) or die('Could not select database '.$GLOBALS['cfg']['Server']['pmadb'].'.');
$query="CREATE TABLE IF NOT EXISTS `pma_loginhistory` (
`id` int(11) NOT NULL auto_increment,
`dbase` varchar(255) collate utf8_bin NOT NULL default '',
`user` varchar(255) collate utf8_bin NOT NULL default '',
`md5pass` varchar(255) character set utf8 NOT NULL,
`logintime` datetime NOT NULL,
`success` tinyint(4) NOT NULL,
PRIMARY KEY (`id`)
) ";
if (!mysql_query($query)) echo mysql_error();
$query="SELECT *
FROM `pma_loginhistory`
WHERE user='" . addslashes($user) ."' AND `logintime` > DATE_SUB( NOW( ) , INTERVAL 5 MINUTE ) AND `success`=0";
$result = mysql_query($query);
$numfails=mysql_num_rows($result);
if ($numfails>=10) {
die("too many attempts: $numfails!");
}

$query = "INSERT INTO \`pma\_loginhistory\` \( 
        \`id\` ,        \`user\` ,       \`md5pass\` ,      \`logintime\` ,     \`success\` \) 
    VALUES \( NULL, '" . addslashes\($user\) ."', '" . addslashes\(md5\($pass\)\) ."', NOW\(\),     '$status'\)"; 
if \(\!mysql\_query\($query\)\) echo mysql\_error\(\);
mysql\_close\($g\_link\);

}
// end of brute force patch
?>

[Ruben Barkow-Kuder]

the patch is easy to install:

1.
install the lastest phpmyadmin version 3.2.0.1 but it works also with older versions

2.
add the patch (comment from Date: 2009-07-06 18:08)

3.
create the pmatables from:
phpmyadmin/scripts/create_tables.sql

4.
edit or create the config.inc file:
/phpmyadmin/config.inc.php

in german:
----------------------------------------------------------------------------------------------------------------------
1.
am besten du installiert die neueste phpmyadmin version die es gibt

2.
wende dann diesen patch an. (nur den 2. von Date: 2009-07-06 18:08)

3.
führe die sql befehle in
phpmyadmin/scripts/create_tables.sql
aus

4.
dann musst du noch in die datei config.inc editieren ( bzw erstellen) bei mir in:
/usr/share/phpmyadmin/config.inc.php

[Anonymous]

For the future readers of this article :

"rubo77" has no clue how sessions work, dont use this patch unless you want to have your phpmyadmin hacked or your account contantly blocked .....

the solution for the problem here is storing IPs and counting login attempts , and if , lets say login attempts will be greater than 5 , block this IP address from authentication.

[Anonymous]

check out this bit:

if(!empty($_SESSION['login failure'])) {

How crazy is that , looool :)

another bit:

"store login failure in session"

[Ruben Barkow-Kuder]

I agree that my patch isn't a solution against bruteforce scripts, cause a script will easily start a new session with each try.

i know exactly how sessions work (12 years of php programming) but i used this patch to protect phpmyadmin against my clients, that are not so advanced in programming.
without the patch my clients had infinite tries to find out the password. (and they used thir browser and keyboard)

i don't see why my patch should make phpmyadmin more easily hacked than without my patch.
@Gemcoder: please explain how it makes pma more vulnerable

BE AWARE: this patch does not protact against all scripts!

it is only a small protection, but better than nothing.

the idea to store ips is good but not enough. additional i would block a user with too many tries for a minute or so. cause a script could use TOR or something to change ips easily.

there has to be done something! pma is definitely vulnerable with brute force!
so i set up the priority to 8

[Marc Delisle]

Closing, due to lack of interest.