« Return to Thread: Compare phpMyAdmin with Adminer
Re: Compare phpMyAdmin with Adminer
by Jakub Vrána
::
Rate this Message:
I think that you still don't understand what I mean. Other-domain
ClickJacking is fixed for about a year, there's no problem. But writing
<iframe src="http://localhost/phpMyAdmin/?db=cds"> in some file on the
same domain still works.
Jakub Vrána
> Hi
>
> Dne Sat, 29 Jan 2011 01:20:03 +0100
> Jakub Vrána<jakub@...> napsal(a):
>
>>>> Current solution does not prevent the same-domain ClickJacking because
>>>> if you access for example http://localhost/phpMyAdmin/?db=cds (without
>>>> token) then phpMyAdmin still happily works.
>>
>>> Yes it does work intentionally. But that still pretty much lowers
>>> risk.
>>
>> I really don't see how this lowers the risk. phpMyAdmin is vulnerable
>> to same-domain ClickJacking, that's my point.
>
> If you allow $cfg['AllowThirdPartyFraming'] then yes, but it's your
> choice.
>
>
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
>
>
>
> _______________________________________________
> Phpmyadmin-users mailing list
> Phpmyadmin-users@...
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Phpmyadmin-users mailing list
Phpmyadmin-users@...
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users
ClickJacking is fixed for about a year, there's no problem. But writing
<iframe src="http://localhost/phpMyAdmin/?db=cds"> in some file on the
same domain still works.
Jakub Vrána
> Hi
>
> Dne Sat, 29 Jan 2011 01:20:03 +0100
> Jakub Vrána<jakub@...> napsal(a):
>
>>>> Current solution does not prevent the same-domain ClickJacking because
>>>> if you access for example http://localhost/phpMyAdmin/?db=cds (without
>>>> token) then phpMyAdmin still happily works.
>>
>>> Yes it does work intentionally. But that still pretty much lowers
>>> risk.
>>
>> I really don't see how this lowers the risk. phpMyAdmin is vulnerable
>> to same-domain ClickJacking, that's my point.
>
> If you allow $cfg['AllowThirdPartyFraming'] then yes, but it's your
> choice.
>
>
>
>
> ------------------------------------------------------------------------------
> Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
> Finally, a world-class log management solution at an even better price-free!
> Download using promo code Free_Logger_4_Dev2Dev. Offer expires
> February 28th, so secure your free ArcSight Logger TODAY!
> http://p.sf.net/sfu/arcsight-sfd2d
>
>
>
> _______________________________________________
> Phpmyadmin-users mailing list
> Phpmyadmin-users@...
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Phpmyadmin-users mailing list
Phpmyadmin-users@...
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users
« Return to Thread: Compare phpMyAdmin with Adminer
| Free embeddable forum powered by Nabble | Forum Help |
