From: Van
Date: August 25 2000 3:51am
Subject: Re: Security alert: phpmyadmin
List-Archive: http://lists.mysql.com/mysql/48880
Message-Id: <Pine.LNX.4.20.0008242344150.9490-100000@tempe.dedserius.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Fri, 25 Aug 2000, Benjamin Pflugmann wrote:

> Hi.
> 
> If I remember correctly from a former security discussion, the server
> sends a challange to the client (i.e. a random string) which gets
> encrypted with the password as seed. The encrypted string is sent back
> and verified by the server by proceeding the same procedure (as said,
> the server can easily decrypt the locally stored password string).
> 
> So, no, the plain password is should never been sent around.
> 
> Bye,
> 
>         Benjamin.
Best I can tell, if the browser isn't sending the password encrypted, it's
clear-text.  So, it can be sniffed.  Answer would be ssl, but, that forces
a restriction on the client.

Eventually, they'll have to do it, anyway, but, w/ respect to the topic at
hand, once sent, the password is base64_encoded in PHPMySQLAdmin, and, can
be de-encoded to compare against the mysql dbase.  It looks as follows:
<%
/*	2000-08-23 22:26:59:  Van
	Authentication module for BTime Accounting Application
	auth.inc.php3
	Entry program.
*/

$headers = getallheaders(); 
$auth=$headers[authorization]; 
if ($auth=='') 
{ 
	$auth=$headers[Authorization]; 
} 
/*
if($auth=='') 
{ 
Header("WWW-Authenticate: Basic realm=\"$PROG_NAME\""); 
Header("HTTP/1.0 401 Unauthorized"); 
} 
*/
list($PHP_AUTH_USER, $PHP_AUTH_PW) = explode(":",
base64_decode(substr($auth, 6))); 
/*
Debugging stuff...
echo "<center>User was $PHP_AUTH_USER, Password was
$PHP_AUTH_PW</center>";*/


if ($PHP_AUTH_PW) 
	{
	mysql_connect("$hostname",$PHP_AUTH_USER,$PHP_AUTH_PW);
	} 
%>

The above helps me to use FrontPage Extensions authentication, unencode
the Auth string, and, use that to validate the user against the MySQL
database without having to work too hard on double-authentication
mechanisms.  Not perfect, agreed, but, if they can sniff the clear-text
passwd sent, it's moot, anyway.

This is where firewalling your servers affords some level of protection
against these technologies as we explore them.

Granted, cracking a server is never impossible.  >:(  

Van

=========================================================================
Linux rocks!!!   http://www.dedserius.com
=========================================================================