CVE-2019-10784: CSRF vulnerabilities

[epozuelo]

I have come across this report of CSRF vulnerabilities in phppgadmin:

https://snyk.io/vuln/SNYK-PHP-PHPPGADMINPHPPGADMIN-543885

There are more details on this page:

https://github.com/snoopysecurity/Public/blob/master/phppgadmin%20CSRF%20Vulnerability.pdf

[brianmay]

Setting SameSite to an appropriate value in the cookies might be an easier solution.

e.g. see https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/

This is now the default in Chrome.

[xzilla]

I don't believe SameSite is an option, because we need to support 7.1 and need to support session.auto_start.

[carnil]

Do the fixes from #99 look good to resolve this issue?

[xzilla]

I think they do, but I think it needs more testing from others. Arguably we're at the point where a SameSite patch might make more sense, dropping support for 7.1/7.2.

[computersalat]

Is #99 going to be merged anytime soon ?

[ReimuHakurei]

Figuring there's been no activity on this repo at all in like 18 months, probably not, no.

[ROBERT-MCDOWELL]

you must contact Robert Treat, if he can activate the merge Bot at least so he won't need to check at every PR

[xzilla]

Hey folks, apologies as my phppgadmin work fell by the wayside during the pandemic. I've no issues dropping 7.1/7.2 support at this point in order to merge #99 but I haven't seen any positive feedback from folks with regards to testing the patch to verify it's suitability and/or making sure it isn't breaking anything else.

[computersalat]

Is this going to be fixed anytime soon with a valid release ? Maybe merging #99 would be an opportunity ...

[ReimuHakurei]

@computersalat You will notice that the last commit to this repository was almost 3 years ago; this project is dead/abandoned.

My fork of this project does have this issue fixed via that PR, however: https://github.com/ReimuHakurei/phpPgAdmin

[computersalat]

@computersalat You will notice that the last commit to this repository was almost 3 years ago; this project is dead/abandoned.

My fork of this project does have this issue fixed via that PR, however: https://github.com/ReimuHakurei/phpPgAdmin

so your fork seems to be the most current one ? I wrote an email to @ioguix to grant access to the most active fork owners so we can merge back to this repo and continue maintenance here. Let's see what he is going to reply ... I hope he is still alive and going to answer soon ...

[ioguix]

Hi there,

Yeah, I'm alive.

I'm glad some people keep maintaining PPA. But the historical owner and maintainer is Robert Treat, aka. @xzilla. Moreover, I retired several years ago from PPA whereas @xzilla revived it between 2019-2021.

As much as I would like to take this decision, I'm not legitimate. It's really @xzilla's project, his decision.

I hope he will shim in this conversation soon, I 'll try to ping him anyway.

[computersalat]

Hi there,

Yeah, I'm alive.

I'm glad some people keep maintaining PPA. But the historical owner and maintainer is Robert Treat, aka. @xzilla. Moreover, I retired several years ago from PPA whereas @xzilla revived it between 2019-2021.

As much as I would like to take this decision, I'm not legitimate. It's really @xzilla's project, his decision.

I hope he will shim in this conversation soon, I 'll try to ping him anyway.

Hi @ioguix , thank you for your quick response.

Hopefully @xzilla will take part soon. Nobody will take away anyone from anyone's project. I/We understand that you don't want to make this decision, but correct me if I am wrong, you are the owner of the project here. So IMHO only you can grant access to follow-up Maintainers. The intention is to keep it maintained here not in other forks, because this is going to confuse users and this should be prevented.

Regards Chris

[computersalat]

@ioguix It doesn't look like @xzilla will take part soon ... it is so sad to see.

[ioguix]

It doesn't look like @xzilla will take part soon ... it is so sad to see.

Indeed. I'm now trying to reach him using other means.

[xzilla]

IIRC @ioguix at one point thought he should be removed from the project and I said I would leave him on in case I died someone would have access... but I guess I am not dead yet.

Anyway, I have some mixed feelings about what to do with the project, since people never seemed to want to contribute in a way that I asked (mostly around testing rigor) and apparently not enough people are coalescing around any given fork but also I certainly don't want people to have to suffer using pgAdmin :-)

WRT this patch, I guess if it has been merged in other projects, that might be an indication that it is "good enough" for use, although what might be better would be 2 patches, one which drops php 7.x support, and a second which resolves this issue. (That assumes someone would be willing to do said patches, and/or people wouldn't object to dropping 7.x support)

[ioguix]

Hi,

I'm sure people with enough motivation and competence could do whatever is required to have their patch included, as far as some maintainer are around, answer in a timely fashion and help with patch review & suggestion.

I absolutely know I have no time to spend on PPA anymore, so I'll not be able to carry such a burden.

@xzilla, I know you brought back PPA from the dead projects 4-5 years ago, but now it seems to somewhat collapse again. I feel sorry to let you down on this, maybe it's time to get some fresh blood on board?

[ROBERT-MCDOWELL]

@xzilla first of all I hope long life and good health to you and to others too. phpPgAdmin always been a very good alternative to others and as you know when a project is created it never goes as we like, but what is done is precious for others event if we think personally it's not. My suggestion would be to give Admin permissions to guys who contributed well through this repo or forks since you were less active on your repo. For example @ReimuHakurei @ioguix and some others I forgot their name.