Security problem

phpLiteAdmin repo owner

Line 4277 : using password_verify() to verify a password is more secure;

password_verify() requires PHP 5.5 and we still support PHP 5.2.4. I know this is all outdated, but it is one of our main goals that phpLiteadmin runs on almost any php server and thus we try to keep the PHP requirement low as long as it is not required by something important. Have you checked the latest development versions? We have changed the password check a little since 1.9.7.1. It now uses hash_equals (and a small fall-back implementation, if unavailable on old PHP versions).

Line 1055 : password field should be autofocused;

Agreed. Will change it soon.

Line 1056 : remember me field should NEVER be checked by default;

This is your opinion, but the internet is full of discussions about this topic. Most services nowadays even removed this checkbox altogether. They just always turn on "remember me" and assume that you know you need to logout or use a private window if you are on a shared computer. And you really should.

I would say that using phpLiteAdmin on a shared computer is a rather rare case. Users of phpLiteAdmin are rather advanced and should know about the consequences of "Remember me" on a shared computer and that they need to logout. On the other hand, 99% of the users use phpLiteAdmin on their local development machine and just don't want to login everytime. That's why it is enabled by default.

Do you really use phpLiteAdmin on a shared computer that you don't trust and fear you forget to logout? Come on. After using phpLiteAdmin on an untrusted shared computer, you would not only need to clean cookies, but also cache, history etc.. If you do so, the "remember me" cookie is gone as well. On a shared computer, always use private mode and close your window afterwards. Problem solved.

Line 1108 : there is no logout button if there is no database found.

True. This is because in this case, you are in the process of setting up phpLiteAdmin by creating your first database. In which case could that be a problem? Either you decide to set up a database and afterwards you can log out. Or you decide to not set it up and delete phpLiteAdmin altogether.

2018-11-12T20:44:59+00:00

Comments (4)

ExDomino reporter
- edited description
- 2018-11-12T18:23:42+00:00
phpLiteAdmin repo owner
Line 4277 : using password_verify() to verify a password is more secure;

password_verify() requires PHP 5.5 and we still support PHP 5.2.4. I know this is all outdated, but it is one of our main goals that phpLiteadmin runs on almost any php server and thus we try to keep the PHP requirement low as long as it is not required by something important. Have you checked the latest development versions? We have changed the password check a little since 1.9.7.1. It now uses hash_equals (and a small fall-back implementation, if unavailable on old PHP versions).

Line 1055 : password field should be autofocused;

Agreed. Will change it soon.

Line 1056 : remember me field should NEVER be checked by default;

This is your opinion, but the internet is full of discussions about this topic. Most services nowadays even removed this checkbox altogether. They just always turn on "remember me" and assume that you know you need to logout or use a private window if you are on a shared computer. And you really should.

I would say that using phpLiteAdmin on a shared computer is a rather rare case. Users of phpLiteAdmin are rather advanced and should know about the consequences of "Remember me" on a shared computer and that they need to logout. On the other hand, 99% of the users use phpLiteAdmin on their local development machine and just don't want to login everytime. That's why it is enabled by default.

Do you really use phpLiteAdmin on a shared computer that you don't trust and fear you forget to logout? Come on. After using phpLiteAdmin on an untrusted shared computer, you would not only need to clean cookies, but also cache, history etc.. If you do so, the "remember me" cookie is gone as well. On a shared computer, always use private mode and close your window afterwards. Problem solved.

Line 1108 : there is no logout button if there is no database found.

True. This is because in this case, you are in the process of setting up phpLiteAdmin by creating your first database. In which case could that be a problem? Either you decide to set up a database and afterwards you can log out. Or you decide to not set it up and delete phpLiteAdmin altogether.
- 2018-11-12T20:44:59+00:00
phpLiteAdmin repo owner
Password field has autofocus since commit 20bb7f9ae2740c839fdca035b58a66cf3e0c3dce , which is included in version 1.9.8.x

We will not use password_verify at the moment for compatibility reasons with old PHP versions and I don't see a security problem using hash_equals.

Remember me field should be checked by default in my opinion as explained above.

And I don’t see a need for a logout button during the setup process.

Thus, I will close this issue.
- 2019-09-05T19:47:33+00:00
phpLiteAdmin repo owner
- changed status to resolved
- 2019-09-05T19:48:01+00:00
Log in to comment