Michal Cihar a écrit:
Hi all
Original message (Rabus, 11.09.2003 11:47):
It has to be possible to disable the arbitary server mode. Not for cosmetic reasons: for security reasons!
Let's imagin a small company network with two servers: server 1 and server 2, both running the MySQL server software. Server 1 is connected to the internet permanently. The MySQL database on server 1 sometimes has to be accessed from outside the network. This is why the sysadmin installed phpMyAdmin on server 1.
The MySQL server on server 2 contains serious data and may not be accessible from the internet. Nevertheless, this database powers some php scripts running on server 1, so server 1 has to be able to connect to server 2's MySQL database.
In this case, phpMyAdmin would be a security hole, if the arbitrary server mode wouldn't be configurable.
In addition to this, an internet user would not only be able to access server 1 and 2, he would also be able to use the owner's bandwidth to access thousands of different servers all over the world.
I completely agree, I thought there could be some security problems... The question now is how to make it:
- keep arbitrary auth is as separate auth method
- merge it with cookie and add option for enabling it
Comments?
I suggest to merge it with cookies, add a config variable to enable it but disable it by default, adding appropriate warning about the security implications.
About the thousands open servers that Rabus mentions, we could add a warning in our doc, referring users to http://www.mysql.com/doc/en/General_security.html and the fact that port 3306 should not be accessible from untrusted hosts.
Sadly we cannot detect this fact to warn them.
Marc