PhpMyAdmin Project Successfully Completes Security Audit

I encourage people to google how to run phpMyAdmin, MySQL Workbench, or Sequel Pro locally, and use port forwarding over SSH. It&#x27;s super simple.<p>Here is a command that forwards all traffic to localhost:3306 across the ssh tunnel to example.com:3306 (the mysql default port).<p><pre><code> ssh user@example.com -L 3306:localhost:3306 </code></pre> I would never run a DB admin application on the live server because it&#x27;s just one more piece that might open a security hole.

&gt; A lack of filtering on user CSV output that could allow an attacker to run arbitrary code on an administrator&#x27;s computer.<p>&gt; Improper cookie invalidation that could allow an attacker to unset internal global variables.<p>Those don&#x27;t count as serious issues? Props to them for making the report public though.

I really hate the idea of having a web interface to my database anywhere, no matter how secure they say it is. Social engineering (over direct &quot;hacking&quot;) lends itself to circumventing technical security.<p>No matter their technical security (Although I&#x27;m super happy they test phpmyadmin!), I still wouldn&#x27;t trust it on my servers.<p>Granted you can lock phpmyadmin down via ip restriction, vpn, etc - that&#x27;s definitely good, but, if you can forgive a bit of generalization, those measure tend to be above people&#x27;s head or too restrictive for those using phpmyadmin.<p>If we do connect to a database using a GUI (usually an app instead of phpmyadmin), however, my preference is through an SSH tunnel. This lets us connect securely (over SSH), and still allow MySQL to not be globally accessible from the outside world - meaning, you can still using MySQL&#x27;s built-in network security features (bind-address and username hosts, along with firewall restrictions) to lock down MySQL.

Secure Open Source has completed[1] the following audits.<p><pre><code> - PCRE v2 audited by Cure53[2] 1 Critical 5 Medium 20 Low 3 Informational - libjpeg-turbo audited by Cure53 1 High 2 Medium 2 Low - phpMyAdmin audited by NCC Group[3] 3 Medium 5 Low 1 Informational </code></pre> [1] <a href="https:&#x2F;&#x2F;wiki.mozilla.org&#x2F;MOSS&#x2F;Secure_Open_Source&#x2F;Completed" rel="nofollow">https:&#x2F;&#x2F;wiki.mozilla.org&#x2F;MOSS&#x2F;Secure_Open_Source&#x2F;Completed</a><p>[2] <a href="https:&#x2F;&#x2F;cure53.de&#x2F;" rel="nofollow">https:&#x2F;&#x2F;cure53.de&#x2F;</a><p>[3] <a href="https:&#x2F;&#x2F;www.nccgroup.trust&#x2F;uk&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.nccgroup.trust&#x2F;uk&#x2F;</a>

Stupid question, how does a security audit work? Do the consultants just read through the code? Do they try to find security bug like they do on bug bounty programs?

I wish NCC Group had been given more time, since phpMyAdmin is nigh-ubiquitous in legacy PHP apps.<p>For example:<p><a href="https:&#x2F;&#x2F;github.com&#x2F;phpmyadmin&#x2F;phpmyadmin&#x2F;blob&#x2F;4cd8ab8a957a2324b4e218acc048642b9a6d2a23&#x2F;libraries&#x2F;session.inc.php" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;phpmyadmin&#x2F;phpmyadmin&#x2F;blob&#x2F;4cd8ab8a957a23...</a><p>Despite setting several security-related session configuration values, they don&#x27;t touch the cookie entropy fields, which means a potential session fixation vulnerability.<p>This might not be a concern for most users: typically your distro ships a php.ini configured to read at least 16 bytes from &#x2F;dev&#x2F;urandom. But not always! Many projects set cookie.entropy_length and cookie.entropy_source just to be sure.

Does anyone know how much (approximately) this audit could have costed?

Does anyone still use this? I didn&#x27;t realize this was still actively maintained.

Is there much sense in auditing things that are usually used by the admin and are by design exposing a lot of control of the server? Sure it must not be exposed to an outsider, but if auth is done right, it doesn&#x27;t matter how far the insider can get... IMO

How can we get such audits done for our own open source projects?

&quot;I&#x27;m not sure, what the guys did during the audit of phpMyAdmin, but it took me 3 minutes to find a persistent XSS in the latest version.&quot;<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;totally_unknown&#x2F;status&#x2F;742753323468640262" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;totally_unknown&#x2F;status&#x2F;74275332346864026...</a>

I encourage everyone to use MySQL Workbench over SSH. For whatever reason people seem to not understand the concept of SSH and the inherent security it provides. But, once you explain to folks how to use it effectively it really is a good balance of security and usability.

&gt; Software Freedom Conservancy congratulates its phpMyAdmin project on succesfuly completing completing a thorough<p>repetition of &quot;completing&quot; in first line.

10 years late.

And in the PDF, the auditors complain that they didn&#x27;t have enough time to even fully analyze the impact of the vulnerabilities found.<p>I wouldn&#x27;t read too much into it.