
PhpMyAdmin Project Successfully Completes Security Audit - pyprism
https://www.phpmyadmin.net/news/2016/6/13/phpmyadmin-project-successfully-completes-security-audit/
======
Xeoncross
I encourage people to google how to run phpMyAdmin, MySQL Workbench, or Sequel
Pro locally, and use port forwarding over SSH. It's super simple.

Here is a command that forwards all traffic to localhost:3306 across the ssh
tunnel to example.com:3306 (the mysql default port).

    
    
        ssh user@example.com -L 3306:localhost:3306
    

I would never run a DB admin application on the live server because it's just
one more piece that might open a security hole.

~~~
xrstf
On Windows, I recommend using HeidiSQL, which handles SSH tunnels for you
using PuTTY's plink.exe.

~~~
voycey
Be wary of Heidi and SSH tunnelling on windows - I'm sure the bugs have been
fixed but I first hand realised that it re-used the tunnel for subsequent
connections meaning you were not making changes on the database you thought
you were - definitely caused some problems! However it is such a good client
that I now use it on Linux under Wine :)

~~~
voycey
[https://sourceforge.net/p/heidisql/tickets/2832/](https://sourceforge.net/p/heidisql/tickets/2832/)

Found my original ticket! And yes, I truncated a few production tables :(

------
sync
> A lack of filtering on user CSV output that could allow an attacker to run
> arbitrary code on an administrator's computer.

> Improper cookie invalidation that could allow an attacker to unset internal
> global variables.

Those don't count as serious issues? Props to them for making the report
public though.

~~~
creshal
> > A lack of filtering on user CSV output that could allow an attacker to run
> arbitrary code on an administrator's computer.

Iff the user has Excel, and explicitly allows it to run macros in a CSV file.
It's already a stretch to call this a phpMyAdmin vulnerability, much less a
"medium severity" one.

> > Improper cookie invalidation that could allow an attacker to unset
> internal global variables.

From the PDF report:

> _Note: Because of the large amount of global variables, and the relatively
> short nature of this assessment, NCC Group was unable to fully determine the
> impact of this vulnerability._

It might be serious, but they didn't have enough budget to make a proper
analysis.

~~~
Rangi42
> Because of the large amount of global variables... NCC Group was unable to
> fully determine the impact of this vulnerability.

In other words, "This project is too full of potential security holes to find
the definite ones."

~~~
drzaiusapelord
No, it means we understand there are theoretical security issues with global
variables, but cannot determine if they're actually applicable or exploitable
in this software.

~~~
MustardTiger
You just repeated exactly the same thing he said as if you were disagreeing.

~~~
richardwhiuk
A theoretical security vulnerability isn't really a think - it's just a bug.
Either it's exploitable, and thus a security vulnerability, or it's a bug and
isn't,

~~~
MustardTiger
Yes it is. It is a bug, that may be exploitable. There's no contradiction
there.

~~~
coldtea
Global variables are not bugs -- at worse they are bad style and can cause
bugs.

As for your other comments, there's this "burden of proof" thing.

~~~
MustardTiger
Did you reply to the wrong comment by mistake? What other comments? What are
you talking about?

------
fideloper
I really hate the idea of having a web interface to my database anywhere, no
matter how secure they say it is. Social engineering (over direct "hacking")
lends itself to circumventing technical security.

No matter their technical security (Although I'm super happy they test
phpmyadmin!), I still wouldn't trust it on my servers.

Granted you can lock phpmyadmin down via ip restriction, vpn, etc - that's
definitely good, but, if you can forgive a bit of generalization, those
measure tend to be above people's head or too restrictive for those using
phpmyadmin.

If we do connect to a database using a GUI (usually an app instead of
phpmyadmin), however, my preference is through an SSH tunnel. This lets us
connect securely (over SSH), and still allow MySQL to not be globally
accessible from the outside world - meaning, you can still using MySQL's
built-in network security features (bind-address and username hosts, along
with firewall restrictions) to lock down MySQL.

~~~
dvt
For a prospective hacker, I don't think there's much of a (functional)
difference between a graphical interface or a shell.

~~~
developer2
The attack surface for a web application like phpmyadmin is the entire
codebase of that application. The attack surface for mysql over an ssh tunnel
is basically only the sshd daemon and its authentication configuration.

I think most people would agree which one exposes a greater likelihood of
being hacked. Of course you can secure a phpmyadmin installation against even
being accessed by attackers (I've done this in the past myself), but there is
still a chance of such security measures being accidentally botched compared
to the sshd configuration.

I don't feel strongly either way, if you are confident that your security
measures on a phpmyadmin installation are solid. I for one, security audit or
not, would never expose a phpmyadmin installation on a publicly accessible
URL.

------
igravious
Secure Open Source has completed[1] the following audits.

    
    
        - PCRE v2 audited by Cure53[2]
          1 Critical
          5 Medium
          20 Low
          3 Informational
    
        - libjpeg-turbo audited by Cure53
          1 High
          2 Medium
          2 Low
    
        - phpMyAdmin audited by NCC Group[3]
          3 Medium
          5 Low
          1 Informational
    

[1]
[https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed](https://wiki.mozilla.org/MOSS/Secure_Open_Source/Completed)

[2] [https://cure53.de/](https://cure53.de/)

[3] [https://www.nccgroup.trust/uk/](https://www.nccgroup.trust/uk/)

------
arrmn
Stupid question, how does a security audit work? Do the consultants just read
through the code? Do they try to find security bug like they do on bug bounty
programs?

~~~
dsacco
Good question. It can be all or none of the above. Here's what happens at a
high level:

Once a company decides it needs a security assessment performed on an
application, it engages with a consulting firm. Consulting firms generally
offer a variety of services, from web and mobile application penetration
tests, to cryptanalysis (implementation and design), to reverse engineering
and binary penetration testing, with source code audits sprinkled throughout
(or as standalone assessments). Let's assume they move forward with a web
application assessment.

The company decides if it wants a source code audit, a penetration test or
both. The most comprehensive assessments will include source code and
unmitigated access to a staging environment that the consultants do not have
to worry about destroying. However, they could also decide they don't want to
hand over the code (common in things like sensitive financial applications or
in applications with protective developers). I've worked on many assessments
where I had no source code - this is called a "black-box" assessment.

Conversely, an assessment might consist of a source code audit with no
penetration test! This is less common, but it's particularly suited for
engagements where the developers are fairly sure they've eliminated the most
common issues and they are really focused on obscure errors, logic flaws and
race conditions.

It really depends on the type of security audit. You can have more exotic
ones, like black-box cryptanalysis where a company hands Riscure a proprietary
payment mechanism and there is heavy reverse engineering and side channel
analysis. It can also be very vanilla, like the web application penetration
tests that bug bounty programs attempt to simulate. Companies decide what they
are going to do based on their application's profile and their goals.

Putting this all together, these are the stages of a traditional security
audit from a high-quality firm:

 _Step 1:_ A company receives several proposals and decides which company to
move forward with based on which statement of work most closely matches their
security goals, timing, budget and desired expertise. Then they decide on a
start date.

 _Step 2:_ Representatives from the company (generally a technical manager, a
security engineer or manager if the company has one and at least one
developer) have a conference call with representatives from the security firm
(generally, the security consultants performing the assessment, an account
executive and a technical manager) to "kick off" the assessment with technical
and logistical engagement planning. Things like "How will we access the
staging environment?" and "Is there anything off-limits" are fleshed out here
as well as reminders about scope and scheduling.

 _Step 3:_ Things like source code, infrastructure/application/API
documentation, PGP keys, etc. are securely exchanged and verified. This comes
out of a list of mutual action items from the kick-off call.

 _Step 4:_ The actual assessment happens, generally in a period of one to
three weeks. I've never been involved in an assessment less than one week
long, and assessments longer than four weeks usually need to re-scope or they
become monolithic and difficult to coordinate. Progress reports with findings
and testing data are securely sent to the company from the security firm.

 _Step 5:_ The assessment is finished and a final deliverable is securely sent
to the company from the security firm. An optional re-test assessment might
happen a few weeks or months later to confirm if the findings have been
satisfactorily resolved.

This is based on my knowledge of having worked in security consultancies,
engaging with them as an in-house security engineer and running my own
consulting firm.

~~~
arrmn
Thanks for your response, great to see how it works from a business side. I'm
going to use this opportunity and ask you another question.

What happens if after 2-3 weeks of consulting you don't find any "high impact"
issue? Are your customer angry, happy?

~~~
dsacco
That almost never happens. I can count on one hand the number of times it has
happened in ~100 past assessments. Generally speaking, the maxim, "There is no
such thing as a secure system" is valid. Competent security consultants should
be capable finding _something_ actionable in all but the most exceptional
circumstances if you throw them into a room to search for vulnerabilities for
a few weeks.

That said, I have had assessments where there were no findings. This is
generally because there are informational observations that can't be escalated
to vulnerabilities in the given assessment time, or because the application
has a very security-conscious development team. If it happens, it might be a
sign that the application is not sufficiently mature to require an assessment
yet, or it's just too simple to really analyze. It can also mean that the
consultant is not sufficiently competent to perform the assessment.

To give an example, I worked at a large consultancy where we had a giant
public company hold us on retainer to perform assessments on "brochure
websites" \- they were not interactive at all. There wasn't even a login
interface. The company wanted to check off that it had security assessments
performed on all webpages it hosted, but realistically there were never any
actionable findings. (This is about as much detail as I can give because it's
NDA'd, but it's not the sort of thing I'd take on in my own practice).

A more recent example is a YC company I worked with a few weeks ago. Their
development team is very well educated on security matters. While I found
security vulnerabilities, there were no high severity findings because the
quality of peer review and paranoid development was very high there. They were
very familiar with every Ruby/Rails gotcha and pretty thoroughly avoided them.

To answer your question, I've never had anyone "angry" at me for not finding
anything. They're not "happy", but as long as they can verify that the work
they paid for was done, they aren't angry. It doesn't happen often, and when
it has happened the consultant should provide enough information to
demonstrate that competent work was done.

However, I personally don't feel very good about it. My understanding is that
competent security engineers in general are not happy about it. It is much
more likely that the assessment either shouldn't have happened (because the
application is not mature or complex enough) or that the consultant was simply
insufficiently competent than that the application is really completely
secure.

------
CiPHPerCoder
I wish NCC Group had been given more time, since phpMyAdmin is nigh-ubiquitous
in legacy PHP apps.

For example:

[https://github.com/phpmyadmin/phpmyadmin/blob/4cd8ab8a957a23...](https://github.com/phpmyadmin/phpmyadmin/blob/4cd8ab8a957a2324b4e218acc048642b9a6d2a23/libraries/session.inc.php)

Despite setting several security-related session configuration values, they
don't touch the cookie entropy fields, which means a potential session
fixation vulnerability.

This might not be a concern for most users: typically your distro ships a
php.ini configured to read at least 16 bytes from /dev/urandom. But not
always! Many projects set cookie.entropy_length and cookie.entropy_source just
to be sure.

------
fauria
Does anyone know how much (approximately) this audit could have costed?

~~~
dsacco
Given that the assessment occupied two weeks with two consultants, between
$25,000 - $35,000.

I don't have intimate knowledge of NCC Group's pricing structure because I
don't work there. But I have friends who do, and similarly situated
consultancies that I've worked for are in the $10,000/week range for a one-off
assessment with non-senior staff. This is also somewhat close to what I charge
through my own smaller consulting practice.

Now, if there was specialty work (like crypto), particularly comprehensive
work, more consultants billed on the assessment than usual or senior/principal
consultants billed on the assessment, the total fee would go up. This is why I
added a $10,000 premium to my estimate; the source code analysis detailed in
this report might qualify as "non-standard."

That said, NCC might have worked on a discount for the opportunity to
advertise that they were involved in the audit. But I don't see this
assessment having costed anything less than $20,000 even in a charitable
situation.

~~~
zhte415
$10,000/week range seems low for a week long audit, but depends on time
charged.

Most audits I've worked on, while a week long, have a 2 week pre-audit
familiarization period for the audit team, and a 1 week long post-audit
report-writing period. This means a 1 week audit is an actual week of
investigation, and for $10,000 this sounds low.

Via the article, it seems like a leading client / lead of future potential
client, so discount works on many levels.

And from TFA: Conservancy and the phpMyAdmin project are proud of the results
and thank Mozilla for funding and initiating the audit.

~~~
dsacco
Interesting. Do you mind if I ask what sort of audits you were working on?

I can understand the 2 week pre-audit familiarization period. How would you
price this out instead? I was operating under the assumption that the pre-
audit familiarization was priced into the first week as threat modeling and
discovery. This would also lend credence to the report admitting that they did
not have time to investigate as thoroughly as they would have liked.

I did forget to include the post-audit report-writing period, it's been a
while since that was a thing for me. I've never billed for that in my own
practice because I disagree with the idea of billing for five days of work
that essentially boils down to "fill in findings and application details into
a long-form, templated PDF." I've also never seen a consultant really need
five days to complete one of those :). I'm sure folks like Tom will come in
shortly to beat me over the head for not charging for this part of the
assessment.

I don't understand what you mean by this though:

 _> And from TFA: Conservancy and the phpMyAdmin project are proud of the
results and thank Mozilla for funding and initiating the audit._

I do agree it's likely that there is a discount here for future or publicly
recognizable work.

~~~
zhte415
Banking. But there was a standard policy, regardless of department - HR,
Operations, Technology, Sales, everything. What was important was the scope.

I may have read the article wrongly, however. On second reading, it seems
audit in the sense of check. Not audit as I assumed on an institutional level.
In this case, certainly not everything is checked. Tires are kicked in the
first couple of days, and if something seems like it has a leak, an extremely
deep dive will be taken, for example checking thousands of records by hand
(well, probably in Excel) looking for something missed - a signature, a
verifier, etc. Non-cooperation results in the audit being extended in time
until the auditor is satisfied with their findings.

------
smaili
Does anyone still use this? I didn't realize this was still actively
maintained.

~~~
creshal
If you are using MySQL, and need to manually fuck around with tables for
whatever reason, it's really useful and beats most other options.

For us it sees plenty of use with poorly developed legacy software (e.g.
Wordpress).

~~~
pinum
I can't think of much reason to use it over Workbench or Sequel Pro.

~~~
whatsamattayou
Some dev environments aren't local, and sometimes this is faster, especially
if you have to document the changes for future updates that don't include your
fancy tools.

~~~
markplindsay
Sequel Pro's built-in SSH tunnel has worked for me in every remote development
situation I've encountered.

It seems like a really bad idea to place a web-based database tool on a
public-facing host when technology exists to route MySQL through SSH.

Even shared hosts support SSH these days. If yours doesn't, maybe it's time to
find another shared host!

~~~
smhenderson
It's been a while but I'm pretty sure you can do so with PHPMyAdmin.

I seem to remember installing it on my own workstation, setting up the ssh
tunnel and then pointing PHPMA to localhost.

It's not my favorite tool and I've avoided it due to security concerns but
I've set it up for others as described and I recall it worked fine. Like I
said though it's been a while and I'm fuzzy on the details.

------
homakov
Is there much sense in auditing things that are usually used by the admin and
are by design exposing a lot of control of the server? Sure it must not be
exposed to an outsider, but if auth is done right, it doesn't matter how far
the insider can get... IMO

------
EGreg
How can we get such audits done for our own open source projects?

~~~
oxguy3
There are selection criteria listed at
[https://wiki.mozilla.org/MOSS/Secure_Open_Source](https://wiki.mozilla.org/MOSS/Secure_Open_Source)
, and, if you think you meet most of the criteria, you can fill out a form to
apply.

------
sixhobbits
"I'm not sure, what the guys did during the audit of phpMyAdmin, but it took
me 3 minutes to find a persistent XSS in the latest version."

[https://twitter.com/totally_unknown/status/74275332346864026...](https://twitter.com/totally_unknown/status/742753323468640262)

------
oaf357
I encourage everyone to use MySQL Workbench over SSH. For whatever reason
people seem to not understand the concept of SSH and the inherent security it
provides. But, once you explain to folks how to use it effectively it really
is a good balance of security and usability.

------
scottydelta
> Software Freedom Conservancy congratulates its phpMyAdmin project on
> succesfuly completing completing a thorough

repetition of "completing" in first line.

------
shaunrussell
10 years late.

------
creshal
And in the PDF, the auditors complain that they didn't have enough time to
even fully analyze the impact of the vulnerabilities found.

I wouldn't read too much into it.

~~~
Johnny_Brahms
That is misleading. They said they had the ability to unset global variables.
Looking at the PHPMyAdmin codebase, I understand they didn't have the time.

