From: Van
Date: August 24 2000 1:28pm
Subject: Re: Security alert: phpmyadmin
List-Archive: http://lists.mysql.com/mysql/48803
Message-Id: <39A5231B.22C9574B@dedserius.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Michael Widenius wrote:
> 
> Hi!
> 
> It has come to our attention that to use phpmyadmin one should set
> up MySQL to allow read on all columns in the mysql.user table.
> 
> This is however very dangerous as if one knows the context of the
> password field in the above table, one can easily make a modified
> client that uses this to connect to the MySQL server.
> 
> The encrypted password is the real password in MySQL;  The password is
> only encrypted to not let one guess your real password;  It was
> however never meant to be made readable to all!  Unfortunately we
Monty:

Thanks for the heads up.  Should it matter that someone could make a modified
client for this user if the following are in place?

1.	Firewall on MySQL port to DENY all but trusted hosts;
2.	No grants for this user except localhost;
3.	Only grant is select on mysql.user for the user in PHPMyAdmin.

I would think not, but, if you have additional concerns, I'd be interested in
reviewing them.

Best Regards,
Van
-- 
=========================================================================
Linux rocks!!!   http://www.dedserius.com
=========================================================================