List:General Discussion« Previous MessageNext Message »
From:Benjamin Pflugmann Date:August 25 2000 3:03am
Subject:Re: Security alert: phpmyadmin
View as plain text  
Hi.

If I remember correctly from a former security discussion, the server
sends a challange to the client (i.e. a random string) which gets
encrypted with the password as seed. The encrypted string is sent back
and verified by the server by proceeding the same procedure (as said,
the server can easily decrypt the locally stored password string).

So, no, the plain password is should never been sent around.

Bye,

        Benjamin.


PS: removed 'announce' from CC, because this isn't an announce anymore.

On Fri, Aug 25, 2000 at 08:34:09AM +0800, rhopkins@stripped wrote:
> 
> 
> > Michael Widenius wrote:
> > >
> > > The encrypted password is the real password in MySQL;  The password is
> > > only encrypted to not let one guess your real password;
> >
> > Does this mean that when connecting to MySQL using perl (or even the
> > MySQL client) over a network, the following occurs?
> >
> >   DBD::mysql first encrypts the password.
> >   It then sends the encrypted password to the MySQL server.
> >   The MySQL server compares it to the stored encrypted password.
> >   If they match, let the user in.
> >
> > If so, couldn't someone sniff the packets and get the encrypted password
> > anyway?
> 
> I would have thought that the password would get sent to the mysql server
> before being encrypted for comparison!!!
[...]
Thread
How large a database can mySQL handle?Jeff Schwartz11 Mar
  • Re: How large a database can mySQL handle?Van12 Mar
    • Re: How large a database can mySQL handle?Michael Widenius12 Mar
  • Re: How large a database can mySQL handle?Henrique Pantarotto12 Mar
  • Re: How large a database can mySQL handle?David Sklar12 Mar
  • RE: How large a database can mySQL handle?Brett Error12 Mar
  • Re: Security alert: phpmyadminVan24 Aug
    • Re: Security alert: phpmyadminMichael Widenius28 Aug
  • Re: Security alert: phpmyadminTonu Samuel24 Aug
  • Re: Security alert: phpmyadminEd Wang24 Aug
  • Re: Security alert: phpmyadminRolf Hopkins25 Aug
    • Re: Security alert: phpmyadminBenjamin Pflugmann25 Aug
      • Re: Security alert: phpmyadminVan25 Aug
        • Re: Security alert: phpmyadminBenjamin Pflugmann25 Aug