List:General Discussion« Previous MessageNext Message »
From:Van Date:August 25 2000 3:51am
Subject:Re: Security alert: phpmyadmin
View as plain text  
On Fri, 25 Aug 2000, Benjamin Pflugmann wrote:

> Hi.
> 
> If I remember correctly from a former security discussion, the server
> sends a challange to the client (i.e. a random string) which gets
> encrypted with the password as seed. The encrypted string is sent back
> and verified by the server by proceeding the same procedure (as said,
> the server can easily decrypt the locally stored password string).
> 
> So, no, the plain password is should never been sent around.
> 
> Bye,
> 
>         Benjamin.
Best I can tell, if the browser isn't sending the password encrypted, it's
clear-text.  So, it can be sniffed.  Answer would be ssl, but, that forces
a restriction on the client.

Eventually, they'll have to do it, anyway, but, w/ respect to the topic at
hand, once sent, the password is base64_encoded in PHPMySQLAdmin, and, can
be de-encoded to compare against the mysql dbase.  It looks as follows:
<%
/*	2000-08-23 22:26:59:  Van
	Authentication module for BTime Accounting Application
	auth.inc.php3
	Entry program.
*/

$headers = getallheaders(); 
$auth=$headers[authorization]; 
if ($auth=='') 
{ 
	$auth=$headers[Authorization]; 
} 
/*
if($auth=='') 
{ 
Header("WWW-Authenticate: Basic realm=\"$PROG_NAME\""); 
Header("HTTP/1.0 401 Unauthorized"); 
} 
*/
list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(":",
base64_decode(substr($auth, 6))); 
/*
Debugging stuff...
echo "<center>User was $PHP_AUTH_USER, Password was
$PHP_AUTH_PW</center>";*/


if ($PHP_AUTH_PW) 
	{
	mysql_connect("$hostname",$PHP_AUTH_USER,$PHP_AUTH_PW);
	} 
%>

The above helps me to use FrontPage Extensions authentication, unencode
the Auth string, and, use that to validate the user against the MySQL
database without having to work too hard on double-authentication
mechanisms.  Not perfect, agreed, but, if they can sniff the clear-text
passwd sent, it's moot, anyway.

This is where firewalling your servers affords some level of protection
against these technologies as we explore them.

Granted, cracking a server is never impossible.  >:(  

Van

=========================================================================
Linux rocks!!!   http://www.dedserius.com
=========================================================================
Thread
How large a database can mySQL handle?Jeff Schwartz11 Mar
  • Re: How large a database can mySQL handle?Van12 Mar
    • Re: How large a database can mySQL handle?Michael Widenius12 Mar
  • Re: How large a database can mySQL handle?Henrique Pantarotto12 Mar
  • Re: How large a database can mySQL handle?David Sklar12 Mar
  • RE: How large a database can mySQL handle?Brett Error12 Mar
  • Re: Security alert: phpmyadminVan24 Aug
    • Re: Security alert: phpmyadminMichael Widenius28 Aug
  • Re: Security alert: phpmyadminTonu Samuel24 Aug
  • Re: Security alert: phpmyadminEd Wang24 Aug
  • Re: Security alert: phpmyadminRolf Hopkins25 Aug
    • Re: Security alert: phpmyadminBenjamin Pflugmann25 Aug
      • Re: Security alert: phpmyadminVan25 Aug
        • Re: Security alert: phpmyadminBenjamin Pflugmann25 Aug