Bug 540891 - blowfish secret for cookie authentication is not hashed / fails if size too long
Summary: blowfish secret for cookie authentication is not hashed / fails if size too long
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: phpMyAdmin
Version: el5
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Robert Scheck
QA Contact: Fedora Extras Quality Assurance
URL: https://sourceforge.net/tracker/?func...
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-24 13:19 UTC by Till Maas
Modified: 2010-01-21 23:32 UTC (History)
3 users (show)

Fixed In Version: 2.11.9.6-3.el4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-27 20:34:08 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
phpMyAdmin-2.11.9.6-blowfish.patch (3.90 KB, patch)
2009-12-03 22:40 UTC, Robert Scheck
no flags Details | Diff

Description Till Maas 2009-11-24 13:19:48 UTC
Description of problem:
I set a blowfish secret for cookie authentication that was longer than 56 bytes, which is the maximum size for blowfish. Then phpmyadmin fails with showing an empty page and this is shown in the error log entry:

2009-11-24 13:56:21: (mod_fastcgi.c.2618) FastCGI-stderr: PHP Warning:  mcrypt_encrypt() [<a href='function.mcrypt-encrypt'>function.mcrypt-encrypt</a>]: Size of key is too large for this algorithm in /usr/share/phpMyAdmin/libraries/mcrypt.lib.php on line 71
PHP Fatal error:  mcrypt_encrypt() [<a href='function.mcrypt-encrypt'>function.mcrypt-encrypt</a>]: Mcrypt initialisation failed in /usr/share/phpMyAdmin/libraries/mcrypt.lib.php on line 71

Version-Release number of selected component (if applicable):
2.11.9.6-1.el5

How reproducible:
always

Steps to Reproduce:
0. install php-mhash from CentOS Extras (not a dependency of phpMyAdmin in EPEL, but phpMyAdmin complains if it is missing)
1. use a secret that is larger than 56 bytes for $cfg['blowfish_secret'] in the config file
2. use cookie authentication
3. login
  
Actual results:
Empty page is displayed

Expected results:
User is logged in

Additional info:
Instead of just pasing the secret to the mcrypt_encrypt function, it should be hashed to the appropriate length, probably with sha512 and then truncated to 56 bytes or even better the output of mcrypt_get_key_size('blowfish', 'cbc');, which is 56.

Comment 1 Robert Scheck 2009-11-29 13:06:13 UTC
CentOS Extras is an unsupported repository. Use the packages from Fedora EPEL,
please. Next point is, that phpMyAdmin 2.11.9.6 is in maintainance-only mode
by upstream, that means, the 2.11.9.x branch will only get security updates,
no bugfixes anymore. We can't update to phpMyAdmin 3.x, because a newer version
of phpMyAdmin would require php >= 5.2, which neither RHEL 4 nor RHEL 5 is able
to satisfy (PHP 4.3.x, PHP 5.1.x).

Do you see the same issue in Fedora 11, 12 or Rawhide? If yes, we can try to
fix it then upstream and maybe backport Fedora-only. And if the issue doesn't
exist in Fedora any longer, we maybe can backport the fix already.

Comment 2 Till Maas 2009-11-29 13:17:30 UTC
I looked at the source of phpMyAdmin 3.2.3 and $GLOBALS['cfg']['blowfish_secret'] is still used without any modification like hashing or truncation, therefore I expect the issue to be present in Rawhide, too.

Comment 3 Robert Scheck 2009-11-29 13:28:25 UTC
I've opened upstream bug ID #2905629.

Comment 4 Robert Scheck 2009-11-29 13:40:32 UTC
Upstream has rejected your request:

> In Documentation.html:
> $cfg['blowfish_secret'] string
>     The "cookie" auth_type uses blowfish algorithm to encrypt the password.
>     The maximum number of characters for this parameter seems to be 46.

If you don't agree with upstream, please participate in the upstream bug.

Comment 5 Robert Scheck 2009-12-03 22:40:50 UTC
Created attachment 375944 [details]
phpMyAdmin-2.11.9.6-blowfish.patch

Comment 6 Robert Scheck 2009-12-03 22:41:33 UTC
Till, can you please test, whether my backport try works for you as expected?

Comment 7 Fedora Update System 2009-12-03 22:45:13 UTC
phpMyAdmin-3.2.4-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.2.4-1.fc10

Comment 8 Fedora Update System 2009-12-03 22:45:17 UTC
phpMyAdmin-3.2.4-1.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.2.4-1.fc12

Comment 9 Fedora Update System 2009-12-05 00:01:07 UTC
phpMyAdmin-3.2.4-1.fc10 has been pushed to the Fedora 10 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update phpMyAdmin'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-12711

Comment 10 Fedora Update System 2009-12-05 00:04:34 UTC
phpMyAdmin-3.2.4-1.fc11 has been pushed to the Fedora 11 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update phpMyAdmin'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-12724

Comment 11 Fedora Update System 2009-12-05 00:04:53 UTC
phpMyAdmin-3.2.4-1.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update phpMyAdmin'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12727

Comment 12 Robert Scheck 2009-12-13 14:57:54 UTC
Till, ping? Can you please test the patch from comment #5?

Comment 13 Fedora Update System 2009-12-27 20:25:27 UTC
phpMyAdmin-3.2.4-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Robert Scheck 2009-12-27 20:33:46 UTC
Till, can you please test, whether my backport try works for you as expected?

Comment 15 Fedora Update System 2009-12-27 20:34:01 UTC
phpMyAdmin-3.2.4-1.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 16 Till Maas 2009-12-30 18:52:51 UTC
(In reply to comment #14)
> Till, can you please test, whether my backport try works for you as expected?  

Sorry for the delay, I did not have access to the system I experienced the problem with phpMyAdmin. I just got a virtual machine running and the patch fixes the problem on CentOS 5.4.

Comment 17 Fedora Update System 2010-01-04 00:22:42 UTC
phpMyAdmin-2.11.9.6-2.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/phpMyAdmin-2.11.9.6-2.el4

Comment 18 Fedora Update System 2010-01-04 00:22:48 UTC
phpMyAdmin-2.11.9.6-2.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/phpMyAdmin-2.11.9.6-2.el5

Comment 19 Fedora Update System 2010-01-21 23:31:20 UTC
phpMyAdmin-2.11.9.6-3.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 20 Fedora Update System 2010-01-21 23:32:06 UTC
phpMyAdmin-2.11.9.6-3.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.