Hello Both phpmyadmin 2.5.6 and 2.5.7-pl1 pop up the username and password dialogue occassionally when already logged in. It definitely pops it up when I try to logout and sometimes it pops it up when changing databases as well. And the strange thing is when this dialogue box pops up it does not accept the correct root username and password so you can only cancel it at which point it denies access to the website completely. I'm using apache 2.0.49-r4. # emerge info Portage 2.0.50-r8 (default-x86-1.4, gcc-3.3.3, glibc-2.3.3.20040420-r0, 2.4.26) ================================================================= System uname: 2.4.26 i686 AMD Athlon(tm) processor Gentoo Base System version 1.4.16 distcc 2.13 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r3 Automake: sys-devel/automake-1.8.3 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=athlon-tbird -O3 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="gcc3" CONFIG_PROTECT="/etc /etc/tomcat /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=athlon-tbird -O3 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs buildpkg ccache notitles sandbox" GENTOO_MIRRORS="http://212.219.56.162/sites/www.ibiblio.org/gentoo/ http://212.219.56.152/sites/www.ibiblio.org/gentoo/ http://212.219.56.131/sites/www.ibiblio.org/gentoo/ http://194.83.57.3/sites/www.ibiblio.org/gentoo/" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.uk.gentoo.org/gentoo-portage" USE="acpi acpi4linux apache2 berkdb crypt curl dedicated fax foomaticdb gd gd-external gif imap innodb jabber java jpeg junit libwww mad maildir md5sum msn mysql nas ncurses oggvorbis oscar pam parse-clocks pdflib perl php png python readline samba slang spell ssl tcpd tetex tiff truetype x86 xml xml2 yahoo zlib"
I just realised a very serious side effect to this problem. Since it does not accept the root username and password in the dialogue box that comes up when you click 'Logout' it does not actually log you out. It merely says: -- Welcome to phpMyAdmin 2.5.7-pl1 Wrong username/password. Access denied. -- Then if you revisit the home page i.e. http://localhost/phpmyadmin/ it logs you in automatically into the old session. So in effect there is no way to logout at all. This is a serious security issue so I'm changing severity to critical.
did you unmerge older verisons ?
Yes. When I upgraded from 2.5.6 to 2.5.7-pl1 I not only unmerged the older version but also manually rm -r'd the /var/www/localhost/htdocs/phpmyadmin and /etc/phpmyadmin/. When I merged 2.5.7-pl1 it emerged webapps-config first and said a whole bunch of stuff about vhosts (as a result of the use flag being disabled) as well.
I would have had to unmerge older versions anyway since 2.5.7-pl1 blocks 2.5.6.
I cannot duplicate this problem myself -- phpMyAdmin works for me. Please can you find an exact series of steps that always demonstrates the problem. Thanks, Tom
did you do the following ? 1. Update MySQL's grant tables and the pmadb database: mysql -u root -p < ${MY_SQLSCRIPTSDIR}/mysql/${PVR}_create.sql 2. Reload MySQL: /etc/init.d/mysql restart
make sure your config files are up2date (use etc-update)
It seems there are no configuration files to update and yes I did follow the intructions at the end of the emerge. I will report steps to reproduce in a day or two.
Dropping to Severity==normal until Dhruba responds or others report the same problem.
I used phpmyadmin again today and it behaved even worse that usual to the point where it was unusable. Essentially, steps to reproduce are merely to use it normally. Log in, change database or click logout and it'll pop up the apache dialogue box (in which the login doesn't work). It won't log you out either. I would let you try it but that would mean giving away the root password. There's nothing unusual about the machine either; it's a standard emerge of php, mysql and phpmyadmin. TBH I'm not sure how to debug this - unless it keeps logs somewhere. The additional problem I had today was that when you selected a table on the left it would not change the display on the right at all. The only thing is that the sysadmin hasn't updated the mysql privilege tables AFAIK from mysql-3.x which phpmyadmin throws a warning about.
I get this warning from phpmyadmin. Should it make a difference? ** Warning: Your privilege table structure seem to be older than this MySQL version! Please run the script mysql_fix_privilege_tables that should be included in your MySQL server distribution to solve this problem! **
Dhruba, Broken grant tables are definitely consistent with the errors your are seeing. Read this: http://dev.mysql.com/doc/mysql/en/Upgrading-grant-tables.html And run the mysql_fix_privilege_tables command if it seems relevant to you. Regards, Tom
Okay I ran that command and restarted mysql as instructed. It still pops up dialogue box for username and password when I click logout though. The rest is working fine AFAICT.
Great. The username/password box on logout is normal and has to do with how the HTTP authentication and browser caching of usernames and passwords works. Closing as INVALID (not a bug).