Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
bug #4611 [security] DOS attack with long passwords
Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
  • Loading branch information
madhuracj committed Dec 1, 2014
1 parent 13a288d commit 095729d
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 0 deletions.
3 changes: 3 additions & 0 deletions ChangeLog
@@ -1,6 +1,9 @@
phpMyAdmin - ChangeLog
======================

4.0.10.7 (not yet released)
- bug #4611 [security] DOS attack with long passwords

4.0.10.6 (2014-11-20)
- bug #4578 [security] XSS vulnerability in table print view
- bug #4579 [security] XSS vulnerability in zoom search page
Expand Down
5 changes: 5 additions & 0 deletions libraries/common.inc.php
Expand Up @@ -866,6 +866,9 @@
. ' ' . $cfg['Server']['auth_type']
);
}
if (isset($_REQUEST['pma_password'])) {
$_REQUEST['pma_password'] = substr($_REQUEST['pma_password'], 0, 256);
}
include_once './libraries/plugins/auth/' . $auth_class . '.class.php';
// todo: add plugin manager
$plugin_manager = null;
Expand Down Expand Up @@ -974,6 +977,8 @@
$controllink = $userlink;
}

$auth_plugin->storeUserCredentials();

/* Log success */
PMA_log_user($cfg['Server']['user']);

Expand Down
9 changes: 9 additions & 0 deletions libraries/plugins/AuthenticationPlugin.class.php
Expand Up @@ -41,6 +41,15 @@ abstract public function authCheck();
*/
abstract public function authSetUser();

/**
* Stores user credentials after successful login.
*
* @return void
*/
public function storeUserCredentials()
{
}

/**
* User is not allowed to login to MySQL -> authentication failed
*
Expand Down
10 changes: 10 additions & 0 deletions libraries/plugins/auth/AuthenticationCookie.class.php
Expand Up @@ -475,6 +475,16 @@ public function authSetUser()
unset($_SERVER['PHP_AUTH_PW']);

$_SESSION['last_access_time'] = time();
}

/**
* Stores user credentials after successful login.
*
* @return void
*/
public function storeUserCredentials()
{
global $cfg;

// Name and password cookies need to be refreshed each time
// Duration = one month for username
Expand Down

0 comments on commit 095729d

Please sign in to comment.