List:General Discussion« Previous MessageNext Message »
From:Michael Widenius Date:August 27 2000 10:09pm
Subject:Re: Security alert: phpmyadmin
View as plain text  
Hi!

>>>>> "Van" == Van  <vanboers@stripped> writes:

Van> Michael Widenius wrote:
>> 
>> Hi!
>> 
>> It has come to our attention that to use phpmyadmin one should set
>> up MySQL to allow read on all columns in the mysql.user table.
>> 
>> This is however very dangerous as if one knows the context of the
>> password field in the above table, one can easily make a modified
>> client that uses this to connect to the MySQL server.
>> 
>> The encrypted password is the real password in MySQL;  The password is
>> only encrypted to not let one guess your real password;  It was
>> however never meant to be made readable to all!  Unfortunately we
Van> Monty:

Van> Thanks for the heads up.  Should it matter that someone could make a modified
Van> client for this user if the following are in place?

Van> 1.	Firewall on MySQL port to DENY all but trusted hosts;

Van> 2.	No grants for this user except localhost;

Van> 3.	Only grant is select on mysql.user for the user in PHPMyAdmin.

Van> I would think not, but, if you have additional concerns, I'd be interested in
Van> reviewing them.

Looks ok to me, assuming a user with the password for phpmyadmin can't
get access to the 'trusted' hosts and the normal phpmyadmin users is
someone you can trust.

Regards,
Monty
Thread
How large a database can mySQL handle?Jeff Schwartz11 Mar
  • Re: How large a database can mySQL handle?Van12 Mar
    • Re: How large a database can mySQL handle?Michael Widenius12 Mar
  • Re: How large a database can mySQL handle?Henrique Pantarotto12 Mar
  • Re: How large a database can mySQL handle?David Sklar12 Mar
  • RE: How large a database can mySQL handle?Brett Error12 Mar
  • Re: Security alert: phpmyadminVan24 Aug
    • Re: Security alert: phpmyadminMichael Widenius28 Aug
  • Re: Security alert: phpmyadminTonu Samuel24 Aug
  • Re: Security alert: phpmyadminEd Wang24 Aug
  • Re: Security alert: phpmyadminRolf Hopkins25 Aug
    • Re: Security alert: phpmyadminBenjamin Pflugmann25 Aug
      • Re: Security alert: phpmyadminVan25 Aug
        • Re: Security alert: phpmyadminBenjamin Pflugmann25 Aug