Current time: 11-30-2024, 07:19 PM Hello There, Guest! (LoginRegister)


Post Reply 
PMA Security vulnerability ?
Author Message
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #1
Question PMA Security vulnerability ?
Hello,

i checked my config.inc.php in my PMA directory.
There is per default the blowfish_secret set:

Code:
/* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
$cfg['blowfish_secret']                 = 'VhCsOm3g4kl631po0em3x33g1b.nehir3';

I check the file in the trunk, and this "blowfish_secret" string is in every ispCP installation on every Server the same?

I read about it in the PMA Docu

Code:
$cfg['blowfish_secret'] string
The "cookie" auth_type uses blowfish algorithm to encrypt the password.
If you are using the "cookie" auth_type, enter here a random passphrase of your choice. It will be used internally by the blowfish algorithm: you won’t be prompted for this passphrase. The maximum number of characters for this parameter seems to be 46.

ispCP is using the "cookie" auth_type.
So i dont know if this is a Security vulnerability or not ?
I use PMA of course, but i don´t no much about this function...

Greez BeNe

The secons thing is, i can see here "vhcs" in the key --> "VhCsOm3g4kl631po0em3x33g1b.nehir3" Wink
(This post was last modified: 05-30-2007 07:13 PM by BeNe.)
05-30-2007 07:11 PM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #2
RE: PMA Security vulnerability ?
VhCsOm3g4 - VHCSOMEGA in leet language...

Log in into pma and then have alook at the cookies in your browser.
So, it may be a security issue. If you give the cookie infos to me, I think I am maybe able to log in into your pma.... and since the cookie info is not secured by a https or something else it's maybe better to use a random string as secret.
And with your great update FAQ the secret stays the same since it's in the config.inc.php :-)

/Joximu
05-30-2007 07:47 PM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #3
RE: PMA Security vulnerability ?
So you mean everybody should set his own blowfish_secret key ?
I will look now for cookies thieves Big Grin
05-30-2007 11:34 PM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #4
RE: PMA Security vulnerability ?
I don't see any problem; If you got the access to the database you are able to change the password. If not, the knowledge of the string won't help you to break the password.
We cannot create a new one without breaking working installations.
05-31-2007 02:22 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #5
RE: PMA Security vulnerability ?
Ok i understand!
I just thought about...Smile

Thx BeNe
05-31-2007 02:40 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #6
RE: PMA Security vulnerability ?
@RatS:
the blowfish_secret has nothing to do with the access to the database - it's just the encryption key for the cookie session. If the session has expired then you must login in any case - during the session it's ok if you have the crypted cookies in the browser...
I changed the blowfishsecret and all I had to do is login again into pma...

That's why I thought that if I have the cookies from BeNe I could try to get the passwords (no need to be on the same day) and then I get maybe the login infor for his pma...
(I have the key - is default -> I should be able to decrypt the cookie session data.

Or am I totally wrong...??

Cheers
05-31-2007 03:23 AM
Visit this user's website Find all posts by this user Quote this message in a reply
RatS Offline
Project Leader
******

Posts: 1,854
Joined: Oct 2006
Reputation: 17
Post: #7
RE: PMA Security vulnerability ?
okay, it's the session key encrypted by the blowfish string. But how would you intrude the system? You have to know the key of the user (or sniff the session and start a replay attack).

I cannot see any vulnerability. You can change your key but it wouldn't make your PMA safer.

Security is my favourite. Big Grin
(This post was last modified: 05-31-2007 07:30 AM by RatS.)
05-31-2007 07:30 AM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #8
RE: PMA Security vulnerability ?
Well I'm still not quite sure.
docu in pma:
> In cookie mode, the password is stored, encrypted with the blowfish
> algorithm, in a temporary cookie

I don't say it's easy to break in but I think it'd be better if the blowfish_secret is not the same in all installations...

When I have some time, I'll try to test that. I the Cookies I have user and passwd - encryted, now I have to analyze how pma does decrypt theese things and then we'll see.

And then we make the test: you give me the cookie data of your pma and I'll try to get the password in cleartext...
05-31-2007 08:33 AM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #9
RE: PMA Security vulnerability ?
I already planned to generate a blowfish_key at install time, but the problem is where to take it from. /dev/random isn't very helpful as some characters may cause problems
05-31-2007 10:17 AM
Visit this user's website Find all posts by this user Quote this message in a reply
raphael Offline
Member
***

Posts: 474
Joined: Apr 2007
Reputation: 8
Post: #10
RE: PMA Security vulnerability ?
Ok, check r606
05-31-2007 11:22 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)