Michael Widenius wrote:
>
> Hi!
>
> It has come to our attention that to use phpmyadmin one should set
> up MySQL to allow read on all columns in the mysql.user table.
>
> This is however very dangerous as if one knows the context of the
> password field in the above table, one can easily make a modified
> client that uses this to connect to the MySQL server.
>
> The encrypted password is the real password in MySQL; The password is
> only encrypted to not let one guess your real password; It was
> however never meant to be made readable to all! Unfortunately we
Monty:
Thanks for the heads up. Should it matter that someone could make a modified
client for this user if the following are in place?
1. Firewall on MySQL port to DENY all but trusted hosts;
2. No grants for this user except localhost;
3. Only grant is select on mysql.user for the user in PHPMyAdmin.
I would think not, but, if you have additional concerns, I'd be interested in
reviewing them.
Best Regards,
Van
--
=========================================================================
Linux rocks!!! http://www.dedserius.com
=========================================================================
