PMA Security vulnerability ?

[BeNe]

Hello,

i checked my config.inc.php in my PMA directory.
There is per default the blowfish_secret set:

Code:

/* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
$cfg['blowfish_secret']                 = 'VhCsOm3g4kl631po0em3x33g1b.nehir3';

I check the file in the trunk, and this "blowfish_secret" string is in every ispCP installation on every Server the same?

I read about it in the PMA Docu

Code:

$cfg['blowfish_secret'] string
The "cookie" auth_type uses blowfish algorithm to encrypt the password.
If you are using the "cookie" auth_type, enter here a random passphrase of your choice. It will be used internally by the blowfish algorithm: you won’t be prompted for this passphrase. The maximum number of characters for this parameter seems to be 46.

ispCP is using the "cookie" auth_type.
So i dont know if this is a Security vulnerability or not ?
I use PMA of course, but i don´t no much about this function...

Greez BeNe

The secons thing is, i can see here "vhcs" in the key --> "VhCsOm3g4kl631po0em3x33g1b.nehir3"

[joximu]

VhCsOm3g4 - VHCSOMEGA in leet language...

Log in into pma and then have alook at the cookies in your browser.
So, it may be a security issue. If you give the cookie infos to me, I think I am maybe able to log in into your pma.... and since the cookie info is not secured by a https or something else it's maybe better to use a random string as secret.
And with your great update FAQ the secret stays the same since it's in the config.inc.php :-)

/Joximu

[BeNe]

So you mean everybody should set his own blowfish_secret key ?
I will look now for cookies thieves

[RatS]

I don't see any problem; If you got the access to the database you are able to change the password. If not, the knowledge of the string won't help you to break the password.
We cannot create a new one without breaking working installations.

[BeNe]

Ok i understand!
I just thought about...

Thx BeNe

[joximu]

@RatS:
the blowfish_secret has nothing to do with the access to the database - it's just the encryption key for the cookie session. If the session has expired then you must login in any case - during the session it's ok if you have the crypted cookies in the browser...
I changed the blowfishsecret and all I had to do is login again into pma...

That's why I thought that if I have the cookies from BeNe I could try to get the passwords (no need to be on the same day) and then I get maybe the login infor for his pma...
(I have the key - is default -> I should be able to decrypt the cookie session data.

Or am I totally wrong...??

Cheers

[RatS]

okay, it's the session key encrypted by the blowfish string. But how would you intrude the system? You have to know the key of the user (or sniff the session and start a replay attack).

I cannot see any vulnerability. You can change your key but it wouldn't make your PMA safer.

Security is my favourite.

[joximu]

Well I'm still not quite sure.
docu in pma:
> In cookie mode, the password is stored, encrypted with the blowfish
> algorithm, in a temporary cookie

I don't say it's easy to break in but I think it'd be better if the blowfish_secret is not the same in all installations...

When I have some time, I'll try to test that. I the Cookies I have user and passwd - encryted, now I have to analyze how pma does decrypt theese things and then we'll see.

And then we make the test: you give me the cookie data of your pma and I'll try to get the password in cleartext...

[raphael]

I already planned to generate a blowfish_key at install time, but the problem is where to take it from. /dev/random isn't very helpful as some characters may cause problems

[raphael]

Ok, check r606