Professional Documents
Culture Documents
===============
Typical vulnerabilities
-----------------------
When phpMyAdmin shows a piece of user data, e.g. something inside a user's
database, all html special chars have to be escaped. When this escaping is
missing somewhere a malicious user might fill a database with specially crafted
content to trick an other user of that database into executing something. This
could for example be a piece of JavaScript code that would do any number of
nasty things.
phpMyAdmin tries to escape all userdata before it is rendered into html for the
browser.
.. seealso::
The token is regenerated for every login, so it's generally valid only for
limited time, what makes it harder for attacker to obtain valid one.
.. seealso::
As the whole purpose of phpMyAdmin is to preform sql queries, this is not our
first concern. SQL injection is sensitive to us though when it concerns the
mysql control connection. This controlconnection can have additional privileges
which the logged in user does not poses. E.g. access the :ref:`linked-tables`.
.. seealso::
phpMyAdmin on its own does not rate limit authentication attempts in any way.
This is caused by need to work in stateless environment, where there is no way
to protect against such kind of things.
To mitigate this, you can use Captcha or utilize external tools such as
fail2ban, this is more details described in :ref:`securing`.
.. seealso::
.. _reporting-security:
Should you find a security issue in the phpMyAdmin programming code, please
contact the `phpMyAdmin security team <mailto:security@phpmyadmin.net>`_ in
advance before publishing it. This way we can prepare a fix and release the fix
together with your
announcement. You will be also given credit in our security announcement.
You can optionally encrypt your report with PGP key ID
``DA68AB39218AB947`` with following fingerprint:
.. code-block:: console
Should you have suggestion on improving phpMyAdmin to make it more secure, please
report that to our `issue tracker
<https://github.com/phpmyadmin/phpmyadmin/issues>`_.
Existing improvement suggestions can be found by
`hardening label <https://github.com/phpmyadmin/phpmyadmin/labels/hardening>`_.