Inconsistent useragent in httpRequest

[emanuelb]

when curl used to send request:
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/Util.php#L4241

        curl_setopt($curl_handle, CURLOPT_USERAGENT, 'phpMyAdmin/' . PMA_VERSION);

The user-agent will contain the PMA version.
but when fopen method is used:
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/Util.php#L4865

                'user_agent' => 'phpMyAdmin',

The user-agent will not contain PMA version.

fix:

1. use the same User-Agent in curl & fopen methods.
2. include the PMA version in user-agent only if you use it / plan to use it.

[arimourao]

How can I test this?

[ibennetch]

Further, on quick look the comment at https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/Util.php#L4848 is incorrect and should reference fopen rather than curl.

[arimourao]

So, should we add PMA on fopen or remove it from curl?

[ForensicITGuy]

Leaving the PMA version in the user-agent string could help when troubleshooting issues dealing with requests between web servers, but it also presents a security issue. Disclosure of version numbers over a web request in this manner provides unauthenticated users with information that could be used to research a PMA instance for exploits.

[emanuelb]

Sure, from privacy/security perspective it's better to strip the version in user-agent / or better mock common request pattern (as done by TOR browser)
Still the 'unauthenticated users' in this case are hacked target server & someone conduct successful SSL MITM (as https used in all calls), Thus the question is: does the version information from user-agent will be used (see 2 in fix)

[ervin210]

hey

[Fenn-CS]

Hello @emanuelb and @ibennetch I have decided to work on this issue, my proposed solution is to remove all the PMA version occurrences in the header as of now for the purpose of security as mentioned earlier. If this is okay then I will go ahead.

[nijel]

Fixed by #13074