#2653 (ok 2.11.5.1) Sensitive data in session files
Support,
How do I prevent phpMyAdmin 2.10.1 from saving the MySQL Root Password as Plain Text in the current /tmp Session file? I have auth method cookie. I don't store my password in the config file.
I searched the Help forum and the internet. It appears that the problem was identified back in 2003 with version 2.5 and earlier. I could not find the fix listed anywhere. I would upgrade if a newer version corrects this problem.
Jim
Reference:
http://www.net-security.org/vuln.php?id=2765
****
From: Lorenzo Manuel Hernandez Garcia-Hierro <security@lorenzohgh.com>
****
SECURITY HOLES FOUND and PROOFS OF CONCEPT:
-----------------------------------------
.... I discover that phpMyAdmin don't encode the mysql user and password , it save the data in plain text without encoding !....
------------------
| INFORMATION |
| ENCODING |
| WEAKNESS |
------------------
phpMyAdmin doesn't use any encoding type like BASE64/RadiX64 , only saves the user data ( username and password too ) in plain text without any encoding.
The authentication token in the cookie is this:
pma_cookie_username=[UserName]; lang=[language]-iso-8859-1;
pma_cookie_password=[your password]
A sample is:
pma_cookie_username=god; lang=en-iso-8859-1;
pma_cookie_password=doesnotexist
-----------------
| SOLUTIONS ;-p |
-----------------
****
- Second: Use a partial / secure encoding for athentication tokens like RadiX64 ( not very secure but an attacker
can think that is a more secure algorithm , obscurity ;-D ) .
****
Logged In: YES
user_id=210714
Originator: NO
I marked this support request as private, we'll discuss it and come back to you.
The old identified problem was about storing user and password in cookies and this was solved a long time ago by using encryption with the blowfish algorith, but you are right about the password being in clear in session data.
Logged In: YES
user_id=1560474
Originator: YES
What did you decide?
Jim
Logged In: YES
user_id=210714
Originator: NO
Yesterday I proposed a patch to the dev team, to remove this sensible data from the session. I am waiting for their feedback. I am attaching the patch here.
File Added: sensible.diff
Logged In: YES
user_id=1560474
Originator: YES
Marc,
I used your patch as guidance to modify phpMyAdmin 2.10.1 files. It works fine.
Thanks.
Jim
BTW, the english word is sensitive (of a highly secret or delicate nature), not sensible (having good sense or sound judgment). It's a great patch by any name.
sensitive.diff
Logged In: YES
user_id=210714
Originator: NO
Thanks Jim,
new file uploaded with correct name and comments inside.
File Added: sensitive.diff
Logged In: YES
user_id=1383652
Originator: NO
ok,
issue fixed but now config.inc.php seems to be read and stored in the session on each and every page loading (like in the old days) - is this intended/inevitable?
Logged In: YES
user_id=210714
Originator: NO
We have not yet found a way to avoid this reloading (for example we have to get the blowfish secret from somewhere, now that it's no longer in the session data).
With more code changes, now we could avoid storing in session everything that is in config, to keep only temporary data in session.
Logged In: YES
user_id=1383652
Originator: NO
>for example we have to get the blowfish secret from somewhere,
>now that it's no longer in the session data
hmm,
the blowfish secret is still in the session file when you are on the welcome/login page ...
since the config.inc.php now is always loaded there is no need to have *any* static config data in the session file at all (IMHO)
Logged In: YES
user_id=1383652
Originator: NO
sorry,
ignore my last post regarding "blowfish" - I only examined the $_SESSION - Array, not the file.
Logged In: YES
user_id=210714
Originator: NO
"since the config.inc.php now is always loaded there is no need to have
*any* static config data in the session file at all (IMHO)"
yes, this is what I meant in my message "we could avoid storing in session everything that is in config"