06/11/2010
Upgrading Plesk’s phpMyAdmin to the latest version
phpMyAdmin is a great tool but a constant headache (xss, sql injections,etc) as well. Every now and then there are new security holes discovered that need to be fixed ASAP. On the other hand, Plesk doesn’t seem to follow these security fixes, so if you want to keep yourself a bit more secure than Plesk thinks you should be, then you have to upgrade phpMyAdmin by your self. This procedure isn’t very straightforward due to the way Plesk uses PMA so I’ll post here some notes/guidelines on how to achieve that.
My notes are based on Plesk 8.6, so I am sure newer Plesk versions are way easier to upgrade than this.
Step 1: Download new phpMyAdmin
# wget http://downloads.sourceforge.net/project/phpmyadmin/phpMyAdmin/3.3.8/phpMyAdmin-3.3.8-all-languages.tar.gz
Step 2: Extract into /opt/psa/admin/htdocs/domains/databases/
# mv phpMyAdmin-3.3.8-all-languages.tar.gz /opt/psa/admin/htdocs/domains/databases/ # cd /opt/psa/admin/htdocs/domains/databases/ # tar zxf phpMyAdmin-3.3.8-all-languages.tar.gz
Step 3: Rename old PMA and symlink the new
# mv phpMyAdmin phpMyAdmin.old # ln -sf phpMyAdmin-3.3.8-all-languages phpMyAdmin
Step 4: Copy old config file
This step depends on your old PMA version. Since my version was 2.8.2.4 I had to:
#cp phpMyAdmin.old/libraries/config.default.php phpMyAdmin/config.inc.php
If you have newer versions of PMA just do:
#cp phpMyAdmin.old/config.inc.php phpMyAdmin/config.inc.php
Step 5: Edit necessary files
Substep a: edit phpMyAdmin/libraries/session.inc.php
When the first comment block finishes and before line 14:
if (! defined('PHPMYADMIN')) {
add the following snippet:
// Close Plesk's session. $proxy_session_id = session_id(); @session_write_close(); unset($_SESSION);
Substep b: edit phpMyAdmin/libraries/common.inc.php around line 190 and change:
'error_handler', 'PMA_PHP_SELF', 'variables_whitelist', 'key' );
to
'error_handler', 'PMA_PHP_SELF', 'variables_whitelist', 'key', // from Plesk 'PHP_SELF', 'db_host', 'db_port', 'db_user', 'db_pass', 'db_name' );
!! Mind the “,” after ‘key’ !!
That’s about it…you should now be able to use your new PMA version through Plesk.
Filed by kargig at 20:49 under Internet,Linux,Networking
Tags: config, debian, phpmyadmin, plesk, PMA, security, sql injection, vhost, xss
8 Comments | 15,786 views