Hi!
>>>>> "Van" == Van <vanboers@stripped> writes:
Van> Michael Widenius wrote:
>>
>> Hi!
>>
>> It has come to our attention that to use phpmyadmin one should set
>> up MySQL to allow read on all columns in the mysql.user table.
>>
>> This is however very dangerous as if one knows the context of the
>> password field in the above table, one can easily make a modified
>> client that uses this to connect to the MySQL server.
>>
>> The encrypted password is the real password in MySQL; The password is
>> only encrypted to not let one guess your real password; It was
>> however never meant to be made readable to all! Unfortunately we
Van> Monty:
Van> Thanks for the heads up. Should it matter that someone could make a modified
Van> client for this user if the following are in place?
Van> 1. Firewall on MySQL port to DENY all but trusted hosts;
Van> 2. No grants for this user except localhost;
Van> 3. Only grant is select on mysql.user for the user in PHPMyAdmin.
Van> I would think not, but, if you have additional concerns, I'd be interested in
Van> reviewing them.
Looks ok to me, assuming a user with the password for phpmyadmin can't
get access to the 'trusted' hosts and the normal phpmyadmin users is
someone you can trust.
Regards,
Monty
