From: Benjamin Pflugmann
Date: August 25 2000 1:26pm
Subject: Re: Security alert: phpmyadmin
List-Archive: http://lists.mysql.com/mysql/48917
Message-Id: <20000825152648.V1502@spin.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

Hi.

On Thu, Aug 24, 2000 at 11:51:41PM -0400, vanboers@stripped wrote:
> On Fri, 25 Aug 2000, Benjamin Pflugmann wrote:
> 
> > Hi.
> > 
> > If I remember correctly from a former security discussion, the server
> > sends a challange to the client (i.e. a random string) which gets
> > encrypted with the password as seed. The encrypted string is sent back
> > and verified by the server by proceeding the same procedure (as said,
> > the server can easily decrypt the locally stored password string).
> > 
> > So, no, the plain password is should never been sent around.
> > 
> > Bye,
> > 
> >         Benjamin.
> Best I can tell, if the browser isn't sending the password encrypted, it's

You are absolutely correct.

I was talking about the connection mysql-client <-> mysql server.

> clear-text.  So, it can be sniffed.  Answer would be ssl, but, that forces
> a restriction on the client.
[...]

Bye,

        Benjamin.