BFM on phpMyAdmin keeps blocking my personal computer

Sygmoral

Verified User
Joined
Aug 15, 2012
Messages
64
I just read that DirectAdmin also scans pma logs since 1.46. It's something I had not noticed before, but since a week ago I do, because my server has blocked my personal computer twice in that time. I'm not sure where the issue is. It may be a phpMyAdmin bug, but I can't be sure because I don't know who configures the log settings.

I don't type in wrong passwords, so that's not the issue, but what often does happen is that when I 'log out' and then try to login as a different user, it keeps showing me the login dialog, so I have to click 'cancel' and reload the page, only then it will work. Unfortunately all those tries count as a failed login (unsuccessful despite correct credentials; probably because it is still checking against the old user or something), so BFM blocks my computer if it happens a few times. I set the count-limit in BFM quite low because I get attacks every minute.

So I know that pma issue now, and I never try to login more than once immediately after logging out - but it blocked me again just half an hour ago anyway. I noticed that the BFM had noticed 5 failed logins from my IP in one second time. Really now?..

I could just disable BFM's pma feature, but I actually sort of like the idea, so I'd like to get it working correctly instead. It would be especially nice if phpMyAdmin didn't refuse any logins right after a logout; and if that can't be solved, it would be nice if a single login failure didn't count for 5.

I am still using DA 1.46.3, but didn't see anything about pma in the 1.47 changelog. I am using the latest pma, since I updated it right after the first time I got locked out. It's using default settings, which I believe means HTTP authentication (in any case it's a dialog, not a web form).
 
Ah, thanks for the report.

Because PMA uses the old httpd auth basic header method, the way one logs out, is PMA tells the browser that the same user/pass is actually invalid.
I'm guessing this is triggering the failed log (I've actually just confirmed it)

You can also confirm in:
/var/www/html/phpMyAdmin/log/auth.log

When you logout, it will give you a login popup, and if you try to use the correct user/pass, you'll continue to get denied.. just how it works to ensure you're logged out.
Press ESC, go back to just /phpmyadmin to login again.

I've poked around, and noticed that when you logout, they tag on:
Code:
&old_usr=yourusername
where.. this is the condition for PMA logout:
Code:
if ($_GET['old_usr'] == $_SERVER['PHP_AUTH_USER'])
I've crated v2 of the pma logging patch, and added it to files1.
If you re-install PMA (wait 24 hours if you're not using files1), and this should add the needed code.

If you want to confirm it's added, the new code would be in the file:
Code:
/var/www/html/phpMyAdmin/libraries/logging.inc.php
in the function "function log_to_file($user, $status)", the new code is:
Code:
        //check for logout        if ($status == 'not authenticated')
        {
                if (isset($_GET['old_usr']) && isset($_SERVER['PHP_AUTH_USER']))
                {
                        if ($_GET['old_usr'] == $_SERVER['PHP_AUTH_USER'])
                        {
                                $status = 'logout';
                        }
                }
        }
just before the "$log_str =" line.

John
 
Excellent, thanks for the fix! BFM still shows 2 'failures' from half an hour ago, but after rebuilding phpMyAdmin and happily recreating the conditions that used to trigger those failures, they are no longer appearing.
 
Back
Top