MySQL Lists are EOL. Please join:

List:General Discussion« Previous MessageNext Message »
From:Van Date:August 24 2000 1:28pm
Subject:Re: Security alert: phpmyadmin
View as plain text  
Michael Widenius wrote:
> Hi!
> It has come to our attention that to use phpmyadmin one should set
> up MySQL to allow read on all columns in the mysql.user table.
> This is however very dangerous as if one knows the context of the
> password field in the above table, one can easily make a modified
> client that uses this to connect to the MySQL server.
> The encrypted password is the real password in MySQL;  The password is
> only encrypted to not let one guess your real password;  It was
> however never meant to be made readable to all!  Unfortunately we

Thanks for the heads up.  Should it matter that someone could make a modified
client for this user if the following are in place?

1.	Firewall on MySQL port to DENY all but trusted hosts;
2.	No grants for this user except localhost;
3.	Only grant is select on mysql.user for the user in PHPMyAdmin.

I would think not, but, if you have additional concerns, I'd be interested in
reviewing them.

Best Regards,
Linux rocks!!!
How large a database can mySQL handle?Jeff Schwartz11 Mar
  • Re: How large a database can mySQL handle?Van12 Mar
    • Re: How large a database can mySQL handle?Michael Widenius12 Mar
  • Re: How large a database can mySQL handle?Henrique Pantarotto12 Mar
  • Re: How large a database can mySQL handle?David Sklar12 Mar
  • RE: How large a database can mySQL handle?Brett Error12 Mar
  • Re: Security alert: phpmyadminVan24 Aug
    • Re: Security alert: phpmyadminMichael Widenius28 Aug
  • Re: Security alert: phpmyadminTonu Samuel24 Aug
  • Re: Security alert: phpmyadminEd Wang24 Aug
  • Re: Security alert: phpmyadminRolf Hopkins25 Aug
    • Re: Security alert: phpmyadminBenjamin Pflugmann25 Aug
      • Re: Security alert: phpmyadminVan25 Aug
        • Re: Security alert: phpmyadminBenjamin Pflugmann25 Aug