Menu
▾
▴
#2988 (ok 3.3.1) Potential information disclosure at login page
There are several good checks made at the login page, but one seems to show a tad too much information. If I enter invalid credentials, phpMyAdmin shows me the output from the MySQL login attempt like this:
#1045 - Access denied for user 2e2e@localhost (using password: YES)
It's really none of the user's business which MySQL server we're trying to access at this point. Nowhere do I display a list of servers to choose from, nor do I display any hostnames. Granted, there isn't much I can do with this information, but it gives me a clue as to how the MySQL server configuration looks behind phpMyAdmin (is it running on *this* server, and so on).
Discussion
Screenshot after failed login attempt
This is the error messages as the MySQL server presents it.
To change this behavior a change would probably have to be made to the PMA_auth_fails() function in libraries/auth/*.php. In there you could filter the error messages.
Yes, I agree that this is a response from MySQL; the question is if the textual message has to be displayed at all? Is it not possible to retrieve just a numerical message or simply say "Invalid username/password" by default; if debugging is enabled, it can behave as it does now.
Fixed in subversion, thanks for reporting.