New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistent useragent in httpRequest #12708
Comments
How can I test this? |
Further, on quick look the comment at https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/Util.php#L4848 is incorrect and should reference fopen rather than curl. |
So, should we add PMA on fopen or remove it from curl? |
Leaving the PMA version in the user-agent string could help when troubleshooting issues dealing with requests between web servers, but it also presents a security issue. Disclosure of version numbers over a web request in this manner provides unauthenticated users with information that could be used to research a PMA instance for exploits. |
Sure, from privacy/security perspective it's better to strip the version in user-agent / or better mock common request pattern (as done by TOR browser) |
hey |
Hello @emanuelb and @ibennetch I have decided to work on this issue, my proposed solution is to remove all the PMA version occurrences in the header as of now for the purpose of security as mentioned earlier. If this is okay then I will go ahead. |
Signed-off-by: Michal Čihař <michal@cihar.com>
Fixed by #13074 |
when curl used to send request:
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/Util.php#L4241
The user-agent will contain the PMA version.
but when fopen method is used:
https://github.com/phpmyadmin/phpmyadmin/blob/master/libraries/Util.php#L4865
The user-agent will not contain PMA version.
fix:
The text was updated successfully, but these errors were encountered: