Skip to content
Permalink
Browse files Browse the repository at this point in the history
bug #4611 [security] DOS attack with long passwords
Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
  • Loading branch information
madhuracj committed Dec 2, 2014
1 parent 23ef019 commit 62b2c91
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 0 deletions.
3 changes: 3 additions & 0 deletions ChangeLog
@@ -1,6 +1,9 @@
phpMyAdmin - ChangeLog
======================

4.1.14.8 (not yet released)
- bug #4611 [security] DOS attack with long passwords

4.1.14.7 (2014-11-20)
- bug #4596 [security] XSS through exception stack
- bug #4595 [security] Path traversal can lead to leakage of line count
Expand Down
5 changes: 5 additions & 0 deletions libraries/common.inc.php
Expand Up @@ -856,6 +856,9 @@
. ' ' . $cfg['Server']['auth_type']
);
}
if (isset($_REQUEST['pma_password'])) {
$_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256);
}
include_once './libraries/plugins/auth/' . $auth_class . '.class.php';
// todo: add plugin manager
$plugin_manager = null;
Expand Down Expand Up @@ -985,6 +988,8 @@
$controllink = $userlink;
}

$auth_plugin->storeUserCredentials();

/* Log success */
PMA_logUser($cfg['Server']['user']);

Expand Down
9 changes: 9 additions & 0 deletions libraries/plugins/AuthenticationPlugin.class.php
Expand Up @@ -41,6 +41,15 @@ abstract public function authCheck();
*/
abstract public function authSetUser();

/**
* Stores user credentials after successful login.
*
* @return void
*/
public function storeUserCredentials()
{
}

/**
* User is not allowed to login to MySQL -> authentication failed
*
Expand Down
10 changes: 10 additions & 0 deletions libraries/plugins/auth/AuthenticationCookie.class.php
Expand Up @@ -582,6 +582,16 @@ public function authSetUser()
unset($_SERVER['PHP_AUTH_PW']);

$_SESSION['last_access_time'] = time();
}

/**
* Stores user credentials after successful login.
*
* @return void
*/
public function storeUserCredentials()
{
global $cfg;

// Name and password cookies need to be refreshed each time
// Duration = one month for username
Expand Down

0 comments on commit 62b2c91

Please sign in to comment.