Security policyです同じです
The phpMyAdmin developer team is putting lot of effort to make phpMyAdmin as secure as possible. But still webapplication like phpMyAdmin can be vulnerable to a number of attacks and new ways to exploit are still being exploredです。
For every reported vulnerability we issue a phpMyAdmin Security Announcement (PMASA) and it get」s assigne CVE ID aswell. We might group similar vulnerabilities to one PMASA (eg. multiple XSS vulnerabilities can be announced under one)PMASA)です。
If you think you」ve found a vulnerability, please see Reporting security issuesです。
Typical vulnerabilities同じです
In this secion, we will describe typical vulnerabilities,which can appear in our code base. This list is by no means complete, it is intended to show typical attack surfaceです。
cross-site scripting (XSS)です同じです
When phpMyAdmin shows a piece of user data, e.g. something inside a user」s database,all html special chars have to be escaped. When this escaping is missing somewhere a malicious user might fill adatabase with specially crafted content to trick an other user of that database into executing something. This could forexample be a piece of JavaScript code that would do any number of nasty thingsです
phpMyAdmin tries to escape all userdata before it is rendered into html for the browserです
See alsoです
cross-site request forgery (CSRF)です同じです
An attacker would trick a phpMyAdmin user into clicking on a link to provoke some action in phpMyAdmin. This link couldeither be sent via email or some random website. If successful this the attacker would be able to perform some actionwith the users privilegesです。
To mitigate this phpMyAdmin requires a token To be sent on sensitive requests. The idea is that an attacker does notposes the currently valid token to include in the presented linkです。
token is regenerated for every login, so it」s generally valid only for limited timeですwhat makes it harder for attacker to obtain valid oneです。
See alsoです
SQLインジェクションです同じです
As the whole purpose of phpMyAdmin is to preform sql queriesですthis is not our first concern. SQL injection is sensitive to us though when it concerns the mysql control connection.This controlconnection can have additional privileges which the logged in user does not poses. E.g. access thephpMyAdmin configuration storageです
data that isユーザ名in (administrative) queries should always be run through databaseinterface:: escapesring()。
See alsoです
Brute force attackです同じです
phpMyAdmin on its own does not rate limit authentication attempts in any way. This is caused by need to work instateless environment, where there is no way to protect against such kind of thingsです。
To mitigate this, you can use Captcha or utilize external tools such as fail2ban,this is more details described in Securing your phpMyAdmin installationです。
See alsoです
Reporting security issuesです同じです
Should you find a security issue in the phpMyAdmin programming code,please contact the phpMyAdmin security team in advance before publishing it. This way we can prepare a fix and releasethe fix together with your announcement. You will be also given credit in our security announcement. You can optionallyencrypt your report with PGP key ID DA68AB39218AB947 with following fingerprintです
pub 4096R/DA68AB39218AB947 2016-08-02
Key fingerprint = 5BAD 38CF B980 50B9 4BD7 FB5B DA68 AB39 218A B947
uid phpMyAdmin Security Team <です;security@phpmyadmin.net>です;
sub 4096R/5E4176FB497A31F7 2016-08-02
The key can be either obtained from The keyserver or is available in phpMyAdmin keyring available on our download serverですusing Keybaseです。
Should you have suggestion on improving phpMyAdmin to make it more secure,please report that to our issue tracker Existing improvement suggestions can be found by hardening labelです。