These issues are known for more than a year at least to Michal.
Moreover, the first one (same domain ClickJacking) could be hardly
fixed because phpMyAdmin uses frames. So it's more like a design
decision (phpMyAdmin traded security and user experience for potential
performance improvement).
Jakub Vrána
> I find it troubling that a so-called security expert is discussing
> unfixed security holes in a public forum. Good work, thanks.
>> The difference between Adminer and phpMyAdmin is that Adminer is
>> designed from start as a secure application and that security is the
>> number one priority in development of Adminer. You are right that the
>> published security fixes of phpMyAdmin is incomplete. For example the
>> ClickJacking protection reported by me and partially fixed by you is
>> not included in this list. And it is still not fixed completely
>> (ClickJacking is still possible from the same domain). Another unfixed
>> problem is with Referer leakage which you know about also for more
>> than a year. Both are mentioned in the comparison.
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d_______________________________________________
Phpmyadmin-users mailing list
Phpmyadmin-users@...
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users
