+ +
+

Security policy

+

The phpMyAdmin developer team is putting lot of effort to make phpMyAdmin as +secure as possible. But still web application like phpMyAdmin can be vulnerable +to a number of attacks and new ways to exploit are still being explored.

+

For every reported vulnerability we issue a phpMyAdmin Security Announcement +(PMASA) and it get’s assigne CVE ID as well. We might group similar +vulnerabilities to one PMASA (eg. multiple XSS vulnerabilities can be announced +under one PMASA).

+

If you think you’ve found a vulnerability, please see Reporting security issues.

+
+

Typical vulnerabilities

+

In this secion, we will describe typical vulnerabilities, which can appear in +our code base. This list is by no means complete, it is intended to show +typical attack surface.

+
+

Cross-site scripting (XSS)

+

When phpMyAdmin shows a piece of user data, e.g. something inside a user’s +database, all html special chars have to be escaped. When this escaping is +missing somewhere a malicious user might fill a database with specially crafted +content to trick an other user of that database into executing something. This +could for example be a piece of JavaScript code that would do any number of +nasty things.

+

phpMyAdmin tries to escape all userdata before it is rendered into html for the +browser.

+
+

See also

+

Cross-site scripting on Wikipedia

+
+
+
+

Cross-site request forgery (CSRF)

+

An attacker would trick a phpMyAdmin user into clicking on a link to provoke +some action in phpMyAdmin. This link could either be sent via email or some +random website. If successful this the attacker would be able to perform some +action with the users privileges.

+

To mitigate this phpMyAdmin requires a token to be sent on sensitive requests. +The idea is that an attacker does not poses the currently valid token to +include in the presented link.

+

The token is regenerated for every login, so it’s generally valid only for +limited time, what makes it harder for attacker to obtain valid one.

+
+

See also

+

Cross-site request forgery on Wikipedia

+
+
+
+

SQL injection

+

As the whole purpose of phpMyAdmin is to preform sql queries, this is not our +first concern. SQL injection is sensitive to us though when it concerns the +mysql control connection. This controlconnection can have additional privileges +which the logged in user does not poses. E.g. access the phpMyAdmin configuration storage.

+

User data that is included in (administrative) queries should always be run +through DatabaseInterface::escapeSring().

+
+

See also

+

SQL injection on Wikipedia

+
+
+
+

Brute force attack

+

phpMyAdmin on its own does not rate limit authentication attempts in any way. +This is caused by need to work in stateless environment, where there is no way +to protect against such kind of things.

+

To mitigate this, you can use Captcha or utilize external tools such as +fail2ban, this is more details described in Securing your phpMyAdmin installation.

+
+

See also

+

Brute force attack on Wikipedia

+
+
+
+
+

Reporting security issues

+

Should you find a security issue in the phpMyAdmin programming code, please +contact the phpMyAdmin security team in +advance before publishing it. This way we can prepare a fix and release the fix together with your +announcement. You will be also given credit in our security announcement. +You can optionally encrypt your report with PGP key ID +DA68AB39218AB947 with following fingerprint:

+
pub   4096R/DA68AB39218AB947 2016-08-02
+      Key fingerprint = 5BAD 38CF B980 50B9 4BD7  FB5B DA68 AB39 218A B947
+uid                          phpMyAdmin Security Team <security@phpmyadmin.net>
+sub   4096R/5E4176FB497A31F7 2016-08-02
+
+
+

The key can be either obtained from the keyserver or is available in +phpMyAdmin keyring +available on our download server or using Keybase.

+

Should you have suggestion on improving phpMyAdmin to make it more secure, please +report that to our issue tracker. +Existing improvement suggestions can be found by +hardening label.

+
+
+ + +