I find it troubling that a so-called security expert is discussing unfixed security holes in a public forum. Good work, thanks.
On Jan 27, 2011, at 2:41 PM, Jakub Vrána <jakub@...> wrote:
> Hello Michal!
>> JFYI - many issues from your list are fixed in upcoming 3.4 (right now
>> in beta). I probably missed something, but at least following are
> I'm happy that there is some progress in upcoming phpMyAdmin release.
> I will compare it again with the next version of Adminer when they
> both will be out.
>> - Relations - phpMyAdmin honors relations in MySQL, you can
>> additionally define relations for tables where MySQL does not support
> The problem with relations and other advanced features in phpMyAdmin
> is that they require creating extra tables and specifying them in
> configuration. That is exactly written in the comparison. The result
> is that most users don't know about this feature at all. I really
> don't understand this behavior: "OK, tables are created so phpMyAdmin
> will enable features for which the tables are not required at all."
>> - Selecting data - similar functionality is there for ages, try
>> "Search" tab on table
> Search in phpMyAdmin is really just for search. Adminer allows
> constructing queries containing clauses like CHAR_LENGTH(x), COUNT(*),
> GROUP BY x, ORDER BY x,y and so on just by couple of clicks.
>> - your number of themes does not include two which are shipped with
>> phpMyAdmin itself
> And it doesn't include one theme of Adminer so the score is 6:8 :-).
>> And I don't think that comparing number of publicly announced security
>> bugs fixed in 2010 is relevant. Several big groups focused on
>> phpMyAdmin in 2010, some of them are now doing regular review of the
>> new code. I doubt that Adminer has received so big review as it is less
>> known application.
> The difference between Adminer and phpMyAdmin is that Adminer is
> designed from start as a secure application and that security is the
> number one priority in development of Adminer. You are right that the
> published security fixes of phpMyAdmin is incomplete. For example the
> ClickJacking protection reported by me and partially fixed by you is
> not included in this list. And it is still not fixed completely
> (ClickJacking is still possible from the same domain). Another unfixed
> problem is with Referer leakage which you know about also for more
> than a year. Both are mentioned in the comparison.
> Security of PHP Applications is my most successful commercial training
> for five years so I think that I know something about it :-).
> Jakub Vrána
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d > _______________________________________________
> Phpmyadmin-users mailing list
> Phpmyadmin-users@... > https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users