security.html 11 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. <!DOCTYPE html>
  2. <html>
  3. <head>
  4. <meta charset="utf-8" />
  5. <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  6. <title>Security policy &#8212; phpMyAdmin 4.9.10 documentation</title>
  7. <link rel="stylesheet" href="_static/pygments.css" type="text/css" />
  8. <link rel="stylesheet" href="_static/classic.css" type="text/css" />
  9. <script id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
  10. <script src="_static/jquery.js"></script>
  11. <script src="_static/underscore.js"></script>
  12. <script src="_static/doctools.js"></script>
  13. <link rel="index" title="Index" href="genindex.html" />
  14. <link rel="search" title="Search" href="search.html" />
  15. <link rel="copyright" title="Copyright" href="copyright.html" />
  16. <link rel="next" title="Distributing and packaging phpMyAdmin" href="vendors.html" />
  17. <link rel="prev" title="Developers Information" href="developers.html" />
  18. </head><body>
  19. <div class="related" role="navigation" aria-label="related navigation">
  20. <h3>Navigation</h3>
  21. <ul>
  22. <li class="right" style="margin-right: 10px">
  23. <a href="genindex.html" title="General Index"
  24. accesskey="I">index</a></li>
  25. <li class="right" >
  26. <a href="vendors.html" title="Distributing and packaging phpMyAdmin"
  27. accesskey="N">next</a> |</li>
  28. <li class="right" >
  29. <a href="developers.html" title="Developers Information"
  30. accesskey="P">previous</a> |</li>
  31. <li class="nav-item nav-item-0"><a href="index.html">phpMyAdmin 4.9.10 documentation</a> &#187;</li>
  32. <li class="nav-item nav-item-this"><a href="">Security policy</a></li>
  33. </ul>
  34. </div>
  35. <div class="document">
  36. <div class="documentwrapper">
  37. <div class="bodywrapper">
  38. <div class="body" role="main">
  39. <div class="section" id="security-policy">
  40. <h1>Security policy<a class="headerlink" href="#security-policy" title="Permalink to this headline">¶</a></h1>
  41. <p>The phpMyAdmin developer team is putting lot of effort to make phpMyAdmin as
  42. secure as possible. But still web application like phpMyAdmin can be vulnerable
  43. to a number of attacks and new ways to exploit are still being explored.</p>
  44. <p>For every reported vulnerability we issue a phpMyAdmin Security Announcement
  45. (PMASA) and it get’s assigne CVE ID as well. We might group similar
  46. vulnerabilities to one PMASA (eg. multiple XSS vulnerabilities can be announced
  47. under one PMASA).</p>
  48. <p>If you think you’ve found a vulnerability, please see <a class="reference internal" href="#reporting-security"><span class="std std-ref">Reporting security issues</span></a>.</p>
  49. <div class="section" id="typical-vulnerabilities">
  50. <h2>Typical vulnerabilities<a class="headerlink" href="#typical-vulnerabilities" title="Permalink to this headline">¶</a></h2>
  51. <p>In this secion, we will describe typical vulnerabilities, which can appear in
  52. our code base. This list is by no means complete, it is intended to show
  53. typical attack surface.</p>
  54. <div class="section" id="cross-site-scripting-xss">
  55. <h3>Cross-site scripting (XSS)<a class="headerlink" href="#cross-site-scripting-xss" title="Permalink to this headline">¶</a></h3>
  56. <p>When phpMyAdmin shows a piece of user data, e.g. something inside a user’s
  57. database, all html special chars have to be escaped. When this escaping is
  58. missing somewhere a malicious user might fill a database with specially crafted
  59. content to trick an other user of that database into executing something. This
  60. could for example be a piece of JavaScript code that would do any number of
  61. nasty things.</p>
  62. <p>phpMyAdmin tries to escape all userdata before it is rendered into html for the
  63. browser.</p>
  64. <div class="admonition seealso">
  65. <p class="admonition-title">See also</p>
  66. <p><a class="reference external" href="https://en.wikipedia.org/wiki/Cross-site_scripting">Cross-site scripting on Wikipedia</a></p>
  67. </div>
  68. </div>
  69. <div class="section" id="cross-site-request-forgery-csrf">
  70. <h3>Cross-site request forgery (CSRF)<a class="headerlink" href="#cross-site-request-forgery-csrf" title="Permalink to this headline">¶</a></h3>
  71. <p>An attacker would trick a phpMyAdmin user into clicking on a link to provoke
  72. some action in phpMyAdmin. This link could either be sent via email or some
  73. random website. If successful this the attacker would be able to perform some
  74. action with the users privileges.</p>
  75. <p>To mitigate this phpMyAdmin requires a token to be sent on sensitive requests.
  76. The idea is that an attacker does not poses the currently valid token to
  77. include in the presented link.</p>
  78. <p>The token is regenerated for every login, so it’s generally valid only for
  79. limited time, what makes it harder for attacker to obtain valid one.</p>
  80. <div class="admonition seealso">
  81. <p class="admonition-title">See also</p>
  82. <p><a class="reference external" href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">Cross-site request forgery on Wikipedia</a></p>
  83. </div>
  84. </div>
  85. <div class="section" id="sql-injection">
  86. <h3>SQL injection<a class="headerlink" href="#sql-injection" title="Permalink to this headline">¶</a></h3>
  87. <p>As the whole purpose of phpMyAdmin is to preform sql queries, this is not our
  88. first concern. SQL injection is sensitive to us though when it concerns the
  89. mysql control connection. This controlconnection can have additional privileges
  90. which the logged in user does not poses. E.g. access the <a class="reference internal" href="setup.html#linked-tables"><span class="std std-ref">phpMyAdmin configuration storage</span></a>.</p>
  91. <p>User data that is included in (administrative) queries should always be run
  92. through DatabaseInterface::escapeSring().</p>
  93. <div class="admonition seealso">
  94. <p class="admonition-title">See also</p>
  95. <p><a class="reference external" href="https://en.wikipedia.org/wiki/SQL_injection">SQL injection on Wikipedia</a></p>
  96. </div>
  97. </div>
  98. <div class="section" id="brute-force-attack">
  99. <h3>Brute force attack<a class="headerlink" href="#brute-force-attack" title="Permalink to this headline">¶</a></h3>
  100. <p>phpMyAdmin on its own does not rate limit authentication attempts in any way.
  101. This is caused by need to work in stateless environment, where there is no way
  102. to protect against such kind of things.</p>
  103. <p>To mitigate this, you can use Captcha or utilize external tools such as
  104. fail2ban, this is more details described in <a class="reference internal" href="setup.html#securing"><span class="std std-ref">Securing your phpMyAdmin installation</span></a>.</p>
  105. <div class="admonition seealso">
  106. <p class="admonition-title">See also</p>
  107. <p><a class="reference external" href="https://en.wikipedia.org/wiki/Brute-force_attack">Brute force attack on Wikipedia</a></p>
  108. </div>
  109. </div>
  110. </div>
  111. <div class="section" id="reporting-security-issues">
  112. <span id="reporting-security"></span><h2>Reporting security issues<a class="headerlink" href="#reporting-security-issues" title="Permalink to this headline">¶</a></h2>
  113. <p>Should you find a security issue in the phpMyAdmin programming code, please
  114. contact the <a class="reference external" href="mailto:security&#37;&#52;&#48;phpmyadmin&#46;net">phpMyAdmin security team</a> in
  115. advance before publishing it. This way we can prepare a fix and release the fix together with your
  116. announcement. You will be also given credit in our security announcement.
  117. You can optionally encrypt your report with PGP key ID
  118. <code class="docutils literal notranslate"><span class="pre">DA68AB39218AB947</span></code> with following fingerprint:</p>
  119. <div class="highlight-console notranslate"><div class="highlight"><pre><span></span><span class="go">pub 4096R/DA68AB39218AB947 2016-08-02</span>
  120. <span class="go"> Key fingerprint = 5BAD 38CF B980 50B9 4BD7 FB5B DA68 AB39 218A B947</span>
  121. <span class="go">uid phpMyAdmin Security Team &amp;lt;security@phpmyadmin.net&amp;gt;</span>
  122. <span class="go">sub 4096R/5E4176FB497A31F7 2016-08-02</span>
  123. </pre></div>
  124. </div>
  125. <p>The key can be either obtained from the keyserver or is available in
  126. <a class="reference external" href="https://files.phpmyadmin.net/phpmyadmin.keyring">phpMyAdmin keyring</a>
  127. available on our download server or using <a class="reference external" href="https://keybase.io/phpmyadmin_sec">Keybase</a>.</p>
  128. <p>Should you have suggestion on improving phpMyAdmin to make it more secure, please
  129. report that to our <a class="reference external" href="https://github.com/phpmyadmin/phpmyadmin/issues">issue tracker</a>.
  130. Existing improvement suggestions can be found by
  131. <a class="reference external" href="https://github.com/phpmyadmin/phpmyadmin/labels/hardening">hardening label</a>.</p>
  132. </div>
  133. </div>
  134. <div class="clearer"></div>
  135. </div>
  136. </div>
  137. </div>
  138. <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
  139. <div class="sphinxsidebarwrapper">
  140. <h3><a href="index.html">Table of Contents</a></h3>
  141. <ul>
  142. <li><a class="reference internal" href="#">Security policy</a><ul>
  143. <li><a class="reference internal" href="#typical-vulnerabilities">Typical vulnerabilities</a><ul>
  144. <li><a class="reference internal" href="#cross-site-scripting-xss">Cross-site scripting (XSS)</a></li>
  145. <li><a class="reference internal" href="#cross-site-request-forgery-csrf">Cross-site request forgery (CSRF)</a></li>
  146. <li><a class="reference internal" href="#sql-injection">SQL injection</a></li>
  147. <li><a class="reference internal" href="#brute-force-attack">Brute force attack</a></li>
  148. </ul>
  149. </li>
  150. <li><a class="reference internal" href="#reporting-security-issues">Reporting security issues</a></li>
  151. </ul>
  152. </li>
  153. </ul>
  154. <h4>Previous topic</h4>
  155. <p class="topless"><a href="developers.html"
  156. title="previous chapter">Developers Information</a></p>
  157. <h4>Next topic</h4>
  158. <p class="topless"><a href="vendors.html"
  159. title="next chapter">Distributing and packaging phpMyAdmin</a></p>
  160. <div role="note" aria-label="source link">
  161. <h3>This Page</h3>
  162. <ul class="this-page-menu">
  163. <li><a href="_sources/security.rst.txt"
  164. rel="nofollow">Show Source</a></li>
  165. </ul>
  166. </div>
  167. <div id="searchbox" style="display: none" role="search">
  168. <h3 id="searchlabel">Quick search</h3>
  169. <div class="searchformwrapper">
  170. <form class="search" action="search.html" method="get">
  171. <input type="text" name="q" aria-labelledby="searchlabel" />
  172. <input type="submit" value="Go" />
  173. </form>
  174. </div>
  175. </div>
  176. <script>$('#searchbox').show(0);</script>
  177. </div>
  178. </div>
  179. <div class="clearer"></div>
  180. </div>
  181. <div class="related" role="navigation" aria-label="related navigation">
  182. <h3>Navigation</h3>
  183. <ul>
  184. <li class="right" style="margin-right: 10px">
  185. <a href="genindex.html" title="General Index"
  186. >index</a></li>
  187. <li class="right" >
  188. <a href="vendors.html" title="Distributing and packaging phpMyAdmin"
  189. >next</a> |</li>
  190. <li class="right" >
  191. <a href="developers.html" title="Developers Information"
  192. >previous</a> |</li>
  193. <li class="nav-item nav-item-0"><a href="index.html">phpMyAdmin 4.9.10 documentation</a> &#187;</li>
  194. <li class="nav-item nav-item-this"><a href="">Security policy</a></li>
  195. </ul>
  196. </div>
  197. <div class="footer" role="contentinfo">
  198. &#169; <a href="copyright.html">Copyright</a> 2012 - 2018, The phpMyAdmin devel team.
  199. Created using <a href="https://www.sphinx-doc.org/">Sphinx</a> 3.4.3.
  200. </div>
  201. </body>
  202. </html>