phpinfo silently removed #12495

Closed
chrcoluk opened this Issue Aug 25, 2016 · 23 comments

Projects

None yet

8 participants

@chrcoluk

php 5.6.25
phpmyadmin 4.6.4
apache 2.4

Has the Show php info feature been silently removed?

@nijel nijel self-assigned this Aug 25, 2016
@nijel nijel added the question label Aug 25, 2016
@nijel
Member
nijel commented Aug 25, 2016

It has been removed due to security concerns as it might leak information.

If you want to display it, creating file manually is minimal effort.

However what is true that we've not yet released announcement for that.

@nijel nijel added documentation and removed question labels Aug 25, 2016
@mrlerch
mrlerch commented Aug 27, 2016

Personally I believe it should be a user's choice to set $cfg['ShowPhpInfo'] = TRUE/FALSE
I understand that there are security concerns, however if someone so chooses to have that link inside phpMyAdmin and understands the risks involved, then I think you should leave it available, and leave it up to the individual.
Let's face it. I would never put my phpMyAdmin installation anywhere publicly accessible anyway. If there was a vote, I would vote to bring this feature and setting back, and let the user decide.

Thank you. And thank you for all your hard work making such a fantastic tool. A true time saver for someone who is not that great command line configuring and managing a MySQL database!

@nijel
Member
nijel commented Aug 28, 2016

Honestly I don't see use case for embedding phpinfo inside phpMyAdmin. In the end we're database management tool...

@mrlerch
mrlerch commented Aug 28, 2016

Oh yeah? Why has the feature been there then for the last, oh, gazillion years/versions?

Martin

Sent from my iPhone (mobile)


On Aug 28, 2016, at 1:25 AM, Michal Čihař notifications@github.com wrote:

Honestly I don't see use case for embedding phpinfo inside phpMyAdmin. In the end we're database management tool...


You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

@nijel
Member
nijel commented Sep 2, 2016

Yes, it has been. There are features which got removed after long time. Same has recently happened to Swekey auth.

@gavsiu
gavsiu commented Sep 13, 2016

It was useful to check if certain modules were installed without having to create and delete a php file numerous times. I have it enabled only on my test server which is not accessible to the internet. Sad to see this go.

@nijel
Member
nijel commented Sep 16, 2016

It could indeed useful for developer, but can be useful to attacker as well. For example it shows value of HttpOnly cookies, making it possible to steal them using javascript, what would not be otherwise possible.

@mrlerch
mrlerch commented Sep 16, 2016

Not if the script is
a) behind a fire wall
b) only accessible from a specific IP
c) username and password protected

You know, all these good things one really should practice anyway. I am telling you, you have bigger problems if someone logs into your phpMyAdmin. Definitely bigger problems than seeing your phpinfo() file!

Thanks.

On Sep 16, 2016, at 2:26 AM, Michal Čihař notifications@github.com wrote:

It could indeed useful for developer, but can be useful to attacker as well. For example it shows value of HttpOnly cookies, making it possible to steal them using javascript, what would not be otherwise possible.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub #12495 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AL69GbO26iAwRevHn3S76PFLGZjdjJUcks5qqmC9gaJpZM4Js1WP.

@nijel
Member
nijel commented Sep 16, 2016

Unfortunately people have shown in past good record of being able to shoot in their feet with phpMyAdmin, so it's all about reducing risks.

@ibennetch
Contributor

I don't have a strong opinion about this but do lean towards the view that we should not include it. Displaying such information is truly useful, but such system administration tasks are really beyond the scope of what is intended for phpMyAdmin. For an administrator, it's trivial to add a phpinfo file in some private and secured space; for phpMyAdmin it's a heavy burden to secure such information (for instance, non-administrative users should probably not have access).

This is a difficult issue of balancing security against making administration easier.

@mrlerch
mrlerch commented Sep 16, 2016

Instead of dictating to us what we can and can’t have allow us to enable or disable it like it was. I hate being told what’s good for me and what’s not.

On Sep 16, 2016, at 8:38 AM, Isaac Bennetch notifications@github.com wrote:

I don't have a strong opinion about this but do lean towards the view that we should not include it. Displaying such information is truly useful, but such system administration tasks are really beyond the scope of what is intended for phpMyAdmin. For an administrator, it's trivial to add a phpinfo file in some private and secured space; for phpMyAdmin it's a heavy burden to secure such information (for instance, non-administrative users should probably not have access).

This is a difficult issue of balancing security against making administration easier.


You are receiving this because you commented.
Reply to this email directly, view it on GitHub #12495 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AL69GQvi52hm6F8115B3ewOAFxqJMo2tks5qqrf4gaJpZM4Js1WP.

@mrlerch
mrlerch commented Sep 19, 2016

Anybody wants to restore this functionality? Here is how:

Copy over the file (from 4.6.0 or 4.6.1) phpinfo.php

Or create one -
Name: phpinfo.php | Save in: phpMyAdmin root directory | File contents:

`<?php
/* vim: set expandtab sw=4 ts=4 sts=4: /
/
*

  • phpinfo() wrapper to allow displaying only when configured to do so.
    *
  • @package PhpMyAdmin
    */

/**

  • Gets core libraries and defines some variables
    */
    require_once 'libraries/common.inc.php';
    PMA\libraries\Response::getInstance()->disable();

/**

  • Displays PHP information
    */
    if ($GLOBALS['cfg']['ShowPhpInfo']) {
    phpinfo();
    }
    `

Open index.php
Goto: line 320

Find:
if ($GLOBALS['cfg']['ShowServerInfo']) {

Change to:
if ($GLOBALS['cfg']['ShowServerInfo'] || $GLOBALS['cfg']['ShowPhpInfo']) {

Line 360, before:
echo ' </ul>';

Copy and paste the code below to line 360:
if ($cfg['ShowPhpInfo']) { PMA_printListItem( __('Show PHP information'), 'li_phpinfo', 'phpinfo.php' . $common_url_query, null, '_blank' ); }

That should do it. I know each time you update phpMyAdmin you would have to do that, but if you want it, it only takes like 2 minutes.

Mr. L

@MirKml
MirKml commented Sep 20, 2016

It's definitely needs to be mentioned in release notes. I searching for this feature in source files and finally I found this one.

@chrcoluk
chrcoluk commented Sep 22, 2016 edited

thanks mrlerch, I find the reasoning weak to be honest, and given people here have found workarounds shows I am not the only one, perhaps the developers knew it would be controversial hence the omission?

If a server administrator is worried about data leakage they only needed to disable phpinfo, and if I remember correctly it was actually disabled by default anyway.

I have always found making phpinfo files a pain in the backside and phpmyadmin always proved useful as a quick way to load the page.

ironically this probabl actually weakens security as a typical phpmyadmin page is protected by a form of authentication, now people will end up creating phpinfo files in unprotected webspace and may forget to remove it.

@msapiro
msapiro commented Dec 2, 2016

Nothing new here but this, with line 2 adjusted appropriately, is what I'm using to restore the prior functionality.
phpinfo_patch.txt

Also regarding the comment at #12495 (comment), couldn't the same be said about the entire Web server information box?

@nijel
Member
nijel commented Jan 7, 2017

Yes, could be about web server information as well, but these doesn't defeat security choices we've made while phpinfo does (https://www.phpmyadmin.net/security/PMASA-2016-59/, for example see http://security.stackexchange.com/q/120025/135581). So at least phpinfo can be used to steal active session or authentication cookies, what would not be possible without it (as httponly cookies are not available to javascript). There are certainly ways to defeat such attacks, but this is really something most users will not think of and will keep the phpinfo enabled even without.

I really fail to see reason for having phpinfo available within phpMyAdmin. At most it might make sense at time you configure it, but I'm not even convinced about this (in such case it could be added as part of #12844).

PS: If you're going to patch this back, please at least reverse the removal patch (e67e692) as compared to the original code (added by the patch above) it includes CSP headers for the phpinfo, mitigating at least some possible vulnerabilities in it (9f3823a).

@nijel nijel closed this Jan 7, 2017
@nijel
Member
nijel commented Jan 7, 2017

On the other side, we could probably limit what phpinfo shows and bring it back again. However the important question is: What do you look at in the phpinfo page?

@nijel nijel reopened this Jan 7, 2017
@nijel nijel referenced this issue Jan 7, 2017
Merged

Bring back limited phpinfo #12875

4 of 4 tasks complete
@msapiro
msapiro commented Jan 7, 2017

I am aware of the potential CSRF vulnerability, and I'm sure it is real, but in my case, I have a tightly controlled environment that limits the vulnerability.

As far as what I use phpinfo for, #12875 would be quite enough. The use case is there are 3 people, including me, who do php development and testing on local machines before installing things on the production server. They want to be able to ensure that the modules and settings they are using in development are all available and consistent on the production server. Thus (INFO_GENERAL | INFO_CONFIGURATION | INFO_MODULES) is certainly sufficient.

Granted, we don't need to get this info via phpMyAdmin, but we all use it, and it is convenient.

@mrlerch
mrlerch commented Jan 8, 2017
@ervin210
ervin210 commented Jan 8, 2017

cloud screenshot dnssec and dskey
Hey i any advice about my account i can get? please

@nijel
Member
nijel commented Jan 8, 2017

@ervin210 I really don't see how this is related to this issue...

@msapiro Thanks for confirming that #12875 is good enough for your use case!

@MirKml
MirKml commented Jan 9, 2017

For me, important parts are general information about PHP version and modules. Phpinfo in PMA is my preferred may how to check these information, when PMA is part of the application or web hosting tools.

@nijel nijel added a commit that referenced this issue Jan 17, 2017
@nijel nijel Changelog entry for #12495 and #12875
Signed-off-by: Michal Čihař <michal@cihar.com>
eb28985
@nijel nijel added enhancement and removed documentation labels Jan 17, 2017
@nijel nijel added this to the 4.6.6 milestone Jan 17, 2017
@nijel
Member
nijel commented Jan 17, 2017

Okay, phpinfo is now back via #12875

@nijel nijel closed this Jan 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment