WP phpMyAdmin crashes WordPress

  • If the plugin dir is not writeable WP phpMyAdmin crashes WordPress. This is the error message from the WordPress debug log:

    PHP Fatal error: Uncaught Error: Call to undefined function WpPhpMyAdminExtension__e() in /../wp-content/plugins/wp-phpmyadmin-extension/index.php:712

    Requiring write permissions on the plugin dir is a bad anyway, especially for such a security sensitive plugin.

    Even worse is the idea to copy the MySQL password in cleartext into a text file to the Linux tmp folder. What is the purpose of this?

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author ttodua

    (@ttodua)

    Thanks for notes:
    1) as noted in plugin readme too, it is advised to enable & use phpMyAdmin plugin on production servers only for the session you are doing your work, after that you are advised to deactivate. Not for the reason that there is a known vulnerability/issue, but for the reason of possible / unexpected vulnerability that is not know to public at this moment.

    2) can you please tell, which code/where it copies cleartext file to tmp dir? phpMyAdmin only stores password in its config.php and does not copy to OS tmp dir

    Plugin Author ttodua

    (@ttodua)

    btw, about __e function – thanks it was a bug, needs to be replaced with __submitting fix now. re-install the plugin from ground from wp.org.

    • This reply was modified 1 year, 10 months ago by ttodua.
    Thread Starter Michael

    (@michael8888)

    If you launch phpMyAdmin from WP phpMyAdmin a couple files are created in /tmp. You can identify them by the owner (www-data). One of them contained the MySQL password. I don’t think that phpMyAdmin creates these files. Must be your plugin.

    Plugin Author ttodua

    (@ttodua)

    if you could provide the sample file/format of content (of course, with removed actual password or file path, replaced with dummy words/path) I could identify. also, are the files deleted thereafter on their own, or they are being left there?

    • This reply was modified 1 year, 10 months ago by ttodua.
    Plugin Author ttodua

    (@ttodua)

    I’ve revised and might say that seems to be expected:

    Thread Starter Michael

    (@michael8888)

    I no longer have the files and I already uninstalled the plugin.

    I don’t see in the code that a password is stored in a file. I have been using phpMyAdmin for many years on many systems and it never showed this behavior. I would know because we have a monitoring solution that sends an alert if new files appear in the system.

    You can easily find the files. Navigate to /tmp or the temp folder configured on your Linux system (not in your WordPress folder). Type ls -al. There should be several files created the by the web server user. One of those files contains the password. The files are created when you open phpMyAdmin from the plugin and the files stay there even when you disable plugin.

    I guess your plugin uses these files to automatically authenticate the user. By the way, it would be much better if the user had to authenticate first with username and password.

    Plugin Author ttodua

    (@ttodua)

    I will try to review it whenever time permits.

    Thanks for noting this finding.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘WP phpMyAdmin crashes WordPress’ is closed to new replies.