Michal Čihař - Blog Archives for phpMyAdmin

Secure your phpMyAdmin

phpMyAdmin is quite popular software (to give some numbers let's mention 10000 downloads daily on SourceForge.net or 122685 reports in Debian's popcon) and as such is quite attractive target for various scripted attacks. If you run phpMyAdmin installation somewhere you should really make sure it is enough secured, so that these script kiddies don't get through.

In past month I've looked at what kind of attacks are these guys trying and in all cases these are pretty old vulnerabilities, some of them fixed years ago. So the first thing you should do is to update. It is always good to run latest stable version, but in case you can not for whatever reason, try at least taking the most important fixes and using them.

In ideal world your distribution would do this job for you, but in case it did not, you can for example take patches from Debian, which is pretty good at taking our patches (surprisingly it is not much related to my involvement there). To check which patches they have applied you can use excellent patch-tracker tool, which exposes patches from all released packages.

To give you overview of which issues are mostly being attempted to exploit by script kiddies right now, here is the list:

  • PMASA-2010-3 - yes, more than two years old, but still unpatched in some places
  • PMASA-2011-5 - "only" half year old
  • PMASA-2011-6 - only useful together with wrongly configured PHP

If you have fixed these, you should be pretty safe for now, but follow our security announcements for possible future issues (you can use RSS feed or subscribe to news mailing list, where all security issues are announced as well).

However there are more things you can do to keep you safer:

  • remove setup directory from phpMyAdmin, you will probably not use it after initial setup
  • prevent access to libraries directory from browser, as it is not needed, supplied .htaccess file does this
  • properly choose authentication method - cookie is probably the best choice for shared hosting
  • in case you don't want all MySQL users to be able to access phpMyAdmin, you can use AllowDeny rules to limit them
  • consider hiding phpMyAdmin behind authentication proxy, so that MySQL credenticals are not all users need to login

So these are the basic steps which will help you against possible compromise, I might return to some of these in more details in future posts.

phpMyAdmin translations status

As phpMyAdmin is approaching to 3.5 release, it has come time to share about translations status. Here comes third round of translation status update.

Since last update we have one new translation at 100%, but one has dropped from the list:

  • Czech
  • English (Great Britain)
  • Russian
  • Slovenian
  • Spanish
  • Swedish
  • Turkish

There are few which are really close to 100% and I hope they will get there soon:

  • French
  • Danish
  • Japanese
  • Polish

As you can see, traveling around FOSDEM was really useful for Czech translation, which I've managed to complete during that weekend (+ Monday when I traveled to Nuremberg).

There was great amount of work done on Polish translation, so hopefully it will be on 100% in next report. Also Rouslan is progressing quite well on Italian, but there is still fair amount of work to be done.

Was your language not mentioned? It's now perfect time to contribute to it.

Book about phpMyAdmin 3.4

With quite usual delay after release, book Mastering phpMyAdmin 3.4 for Effective MySQL Management has been published.

Unlike the previous edition, I was not doing technical review here, but it is anyway special book for me - the cover photo is coming from me, what is actually for the very first time this has happened.

As usual with Packt opensource books, phpMyAdmin project receives some money for each sold copy of the book, so you're welcome to buy it :-).

Migrating code to github

As you might have noticed from my previous posts, we've moved phpMyAdmin code to github. Now I'm going to describe some things which might be useful for you if you are about do to similar switch.

While using git, moving to another hosting provider should be pretty straightforward. Just add another remote, push code there and it should be done. On the other side you probably have dozens of things in your infrastructure which you need to adjust. So the first thing to do is write down what all services are connected to your current git repositories. Let me name some which might be worth checking:

  • continuous integration server
  • snapshots generating
  • demo server (in case you're providing something like we do)
  • commit notifications
  • various statistics services such as cia.vc
  • website generating
  • references in wiki, website and documetation

Once you think you have remembered all important things (the less important will probably show up anyway, but majority of things should work), you're ready to make the move.

I've decided to make the move in few steps. First push all data to new location, what can take some time. I'll get in more details to that later. In the same time I asked all contributors to give me their login information, so that I can allow them access to new repositories. Once all recently active developers were migrated, it was time to push all remaining commits to new git repositories and make the switch for real.

Pushing git repo to another location, should be pretty easy. On the other side if you have many branches, it get's slightly more complex, I've ended up with following shell snippet (pushing all branches present in origin to github remote):

git branch -r | grep origin/ | grep -v HEAD | sed 's@.*/@@' | while read b ; do git checkout $b ; git push github $b:$b ; done

Please ensure that you check output of this, because you may hit network problems somewhere in the middle and you end up with few branches than you expect. As the code is pretty much idempotent, you can safely run it several times until there is nothing to push. You should also push all tags to new location:

git push --tags github

Okay, we've all data on right place, so let's switch all our users to new location:

git remote set-url origin git@github.com:phpmyadmin/phpmyadmin.git # read/write
git remote set-url origin git://github.com/phpmyadmin/phpmyadmin.git # read only

Of course everybody has to do this manually.

Next good thing is to let people know when they are using wrong repo (which will stay there for some time). Unfortunately there is AFAIK no way to warn them on pull, so let's warn at least on push:

$ cat > hooks/update
#!/bin/sh
echo "phpMyAdmin git repositories have moved to https://github.com/phpmyadmin"
exit 1

I think this is pretty much all. You can find some more bits in our Git migration wiki page.

PS: Thanks to github for offering us hosting and sorry for breaking their branch displaying page by too many divergent branches.

phpMyAdmin is now at github

I've just updated phpMyAdmin repos on github and enabled notifications hooks there, so the earlier announced switch to github is done.

All you need to do is point your repositories to pull/push to github, for main repository it can be done using:

git remote set-url origin git@github.com:phpmyadmin/phpmyadmin.git

If you are using just read only access then use following:

git remote set-url origin git://github.com/phpmyadmin/phpmyadmin.git

For other repositories just replace last part of the URL with repository name (they have not changed).

Everything should work as before, pushes should be now faster, because all notifications are done in background on github and they don't block pushing.

Back from FOSDEM

Yet another FOSDEM is behind us and I'd like to thank all people organizing it. It was a great event as usual.

This year there were some changes - the conference grew and there was an extra building. This is great, but on the other side, there were more tracks to follow and occasionally I wanted to be in four places at once, what is of course not manageable.

Combined with quite freezing weather (well it was still much warmer than it is now in Prague), moving from one side of campus to another was not that comfortable as in last years, but there is not much man can do with that.

And the biggest change for me - I did not manage beer event this year. We enjoyed great team dinner on Friday evening and while it ended, I was too lazy to move to crowded beer event and rather enjoyed bed in my hotel.

phpMyAdmin goes github

Yesterday we did held phpMyAdmin team meeting and we discussed several things for project future. One of discussed things was to move our repositories to github for easier collaboration and management of private repositories.

After some discussions we've decided to go for it. As I write this blog, all repositories are being pushed there and once all developers will get their access rights there, we will move completely.

But even right now, you can fork us on github, the code is already there and will be updated obsessionally until we fully move there.

Enjoying FOSDEM

Again, as usual in last few years, I'm spending first weekend in February in Brussels, where FOSDEM is happening.

This year we've again decided to do make this team meeting for phpMyAdmin, so people from five countries and three continents came to one conference to discuss future development and other stuff.

But of course this is not only thing I'm going to do here. I came with openSUSE folks, where we've brought lot of beer, some DVDs and hardware to show. You're welcome to check it out.

And of course there is about 430 talks to visit during weekend :-).

How not to ask questions

First of all, take this blog post as a rant from developer. I don't expect that this will change anything in how people ask me questions.

Anyway before you write me email with some questions, please check following easy bits:

  1. Have you tried to write your question into Google?
  2. Most projects have documentation, have you looked at it?
  3. There are mailing lists or discussion forums, do you really need to write directly to me?
  4. Writing subject like "!important" or ALL IN CAPS will work other way than you probably expect.
  5. Yes I have more email addresses, that does not mean you should write to all of them.

If you do follow these basic rules, you might get more help than usual. If you are interested in knowing more, there is famous How To Ask Questions The Smart Way which will tell you more information than I did in this rant.

phpMyAdmin translations status

As phpMyAdmin is approaching to 3.5 release, it has come time to share about translations status. Here comes second round of translation status update.

Since last update we have two more translations at 100%:

  • English (Great Britain)
  • French
  • Russian
  • Slovenian
  • Spanish
  • Swedish
  • Turkish

There are few which are really close to 100% and I hope they will get there soon:

  • Danish
  • Japanese

Just on next level is Czech, where I'm progressing quite slowly and would welcome help :-).

There was also great improvement in Romanian in past week so I hope we will see it soon on top of the list as well.

Was your language not mentioned? It's now perfect time to contribute to it.