安全策略

The phpMyAdmin developer team is putting lot of effort to make phpMyAdmin as secure as possible. But still web application like phpMyAdmin can be vulnerable to a number of attacks and new ways to exploit are still being explored.

For every reported vulnerability we issue a phpMyAdmin Security Announcement (PMASA) and it get’s assigned a CVE ID as well. We might group similar vulnerabilities to one PMASA (eg. multiple XSS vulnerabilities can be announced under one PMASA).

如果你认为找到了漏洞,请参阅 报告安全问题

常见的漏洞

在这一小节中,我们会描述可能发生在我们代码仓库的典型的漏洞。这个列表并不完全,意在显示典型的攻击面。

跨站脚本攻击(XSS)

When phpMyAdmin shows a piece of user data, e.g. something inside a user’s database, all html special chars have to be escaped. When this escaping is missing somewhere a malicious user might fill a database with specially crafted content to trick an other user of that database into executing something. This could for example be a piece of JavaScript code that would do any number of nasty things.

phpMyAdmin tries to escape all userdata before it is rendered into html for the browser.

参见

维基百科上的`跨站点脚本 <https://en.wikipedia.org/wiki/Cross-site_scripting>`_

跨站请求伪造(CSRF)

An attacker would trick a phpMyAdmin user into clicking on a link to provoke some action in phpMyAdmin. This link could either be sent via email or some random website. If successful this the attacker would be able to perform some action with the users privileges.

To mitigate this phpMyAdmin requires a token to be sent on sensitive requests. The idea is that an attacker does not poses the currently valid token to include in the presented link.

每次登录都会重新生成令牌,所以它只在有限时间生效,攻击者难以合法获取。

SQL 注入

As the whole purpose of phpMyAdmin is to preform sql queries, this is not our first concern. SQL injection is sensitive to us though when it concerns the mysql control connection. This controlconnection can have additional privileges which the logged in user does not poses. E.g. access the phpMyAdmin配置存储.

User data that is included in (administrative) queries should always be run through DatabaseInterface::quoteString().

暴力破解攻击

phpMyAdmin on its own does not rate limit authentication attempts in any way. This is caused by need to work in stateless environment, where there is no way to protect against such kind of things.

To mitigate this, you can use Captcha or utilize external tools such as fail2ban, this is more details described in 加固您的 phpMyAdmin 安装.

报告安全问题

Should you find a security issue in the phpMyAdmin programming code, please contact the phpMyAdmin security team in advance before publishing it. This way we can prepare a fix and release the fix together with your announcement. You will be also given credit in our security announcement. You can optionally encrypt your report with PGP key ID DA68AB39218AB947 with following fingerprint:

pub   4096R/DA68AB39218AB947 2016-08-02
      Key fingerprint = 5BAD 38CF B980 50B9 4BD7  FB5B DA68 AB39 218A B947
uid                          phpMyAdmin Security Team <security@phpmyadmin.net>
sub   4096R/5E4176FB497A31F7 2016-08-02

The key can be either obtained from the keyserver or is available in phpMyAdmin keyring available on our download server or using Keybase.

Should you have suggestion on improving phpMyAdmin to make it more secure, please report that to our issue tracker. Existing improvement suggestions can be found by hardening label.