Ubuntu
phpmyadmin package

Impossible to log in with default configuration

Bug #388703 reported by hackel
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
phpmyadmin (Ubuntu)
Fix Released
Undecided
Michal Čihař

Bug Description

Binary package hint: phpmyadmin

Since upgrading to jaunty, I can no longer log into phpmyadmin as the root user with no password (the default configuration). Please fix this. Apparently--and inexplicably--the ability to actually USE this software with the standard Debian configuration was removed in order to close Debian bug #496442. It makes the software completely useless unless you go and add a mysql root password, remember it all the time, and insert it into all of your software which is extremely pointless annoying when developing locally. Please fix this!

Revision history for this message
Michal Čihař (nijel) wrote :

This is intentional change. You need to enable empty password logins explicitly by AllowNoPassword directive, see phpMyAdmin documentation for details.

I added documentation about this to README.Debian.

Changed in phpmyadmin (Ubuntu):
assignee: nobody → Michal Čihař (nijel)
status: New → Fix Committed
Revision history for this message
hackel (hackel) wrote :

I did figure this out after I submitted the bug. I believe that it is still a valid bug, however. Since Ubuntu ships a default MySQL configuration with a blank root password, the default phpMyAdmin configuration should be modified to allow it to work out of the box on Ubuntu, even if this isn't the default upstream. There's only so much a distribution can do to ensure security in the face of a negligent user/administrator. It is not the place of phpMyAdmin (client) to control the security of a completely separate (server) application.

Revision history for this message
Michal Čihař (nijel) wrote :

Yes, we (as phpMyAdmin developers) originally argumented also this way. However there is problem that MySQL allows local connections without passwords, while phpMyAdmin allows to make them remotely. That's reason why empty passwords are disabled by default (by upstream).

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package phpmyadmin - 4:3.2.0.1-1

---------------
phpmyadmin (4:3.2.0.1-1) unstable; urgency=high

  * New upstream version fixing XSS (PMASA-2009-5).
  * Document no empty password in README.Debian and the shipped sample
    configuration file (LP: #388703).
  * Install service file for avahi (if web service enabled and if avahi is
    installed) (LP: #369244).
  * Mention protecting of setup if not using provided configuration snippets
    for webservers.
  * Call ucf with --debconf-ok in postrm (Closes: #534894).

 -- Andrew Mitchell <email address hidden> Thu, 02 Jul 2009 06:48:12 +0100

Changed in phpmyadmin (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.