Skip to content

Commit 62b2c91

Browse files
committed
bug #4611 [security] DOS attack with long passwords
Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
1 parent 23ef019 commit 62b2c91

File tree

4 files changed

+27
-0
lines changed

4 files changed

+27
-0
lines changed

Diff for: ChangeLog

+3
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
phpMyAdmin - ChangeLog
22
======================
33

4+
4.1.14.8 (not yet released)
5+
- bug #4611 [security] DOS attack with long passwords
6+
47
4.1.14.7 (2014-11-20)
58
- bug #4596 [security] XSS through exception stack
69
- bug #4595 [security] Path traversal can lead to leakage of line count

Diff for: libraries/common.inc.php

+5
Original file line numberDiff line numberDiff line change
@@ -856,6 +856,9 @@
856856
. ' ' . $cfg['Server']['auth_type']
857857
);
858858
}
859+
if (isset($_REQUEST['pma_password'])) {
860+
$_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256);
861+
}
859862
include_once './libraries/plugins/auth/' . $auth_class . '.class.php';
860863
// todo: add plugin manager
861864
$plugin_manager = null;
@@ -985,6 +988,8 @@
985988
$controllink = $userlink;
986989
}
987990

991+
$auth_plugin->storeUserCredentials();
992+
988993
/* Log success */
989994
PMA_logUser($cfg['Server']['user']);
990995

Diff for: libraries/plugins/AuthenticationPlugin.class.php

+9
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,15 @@ abstract public function authCheck();
4141
*/
4242
abstract public function authSetUser();
4343

44+
/**
45+
* Stores user credentials after successful login.
46+
*
47+
* @return void
48+
*/
49+
public function storeUserCredentials()
50+
{
51+
}
52+
4453
/**
4554
* User is not allowed to login to MySQL -> authentication failed
4655
*

Diff for: libraries/plugins/auth/AuthenticationCookie.class.php

+10
Original file line numberDiff line numberDiff line change
@@ -582,6 +582,16 @@ public function authSetUser()
582582
unset($_SERVER['PHP_AUTH_PW']);
583583

584584
$_SESSION['last_access_time'] = time();
585+
}
586+
587+
/**
588+
* Stores user credentials after successful login.
589+
*
590+
* @return void
591+
*/
592+
public function storeUserCredentials()
593+
{
594+
global $cfg;
585595

586596
// Name and password cookies need to be refreshed each time
587597
// Duration = one month for username

0 commit comments

Comments
 (0)