Hi
Dne Thu, 4 Aug 2011 14:46:17 +0200 Piotr Przybylski piotr.prz@gmail.com napsal(a):
So, I propose to:
- Exchange MariaDB and MySQL databases in config file.
- Change automatic login to select MySQL database which now has index 1.
Done, this makes sense.
- Create some sample database with tables and columns which are
potentially dangerous.
We already had similar topic on security list, but let's open it here again. The question here is whether the demo server is primarily for users or developers. Counting number of visitors on the website, it's clearly mostly visited by users, so giving there developer only things, which could confuse this is probably not a good idea.
Also see test/test_data/exploit_test.sql for example data.
Also, create a guidelines for future GSOC with a sample configuration consisting of two servers (the first one can be a broken fake, student should work with the second one) and a SQL script which creates tables from point 3. above, with some explanation on escaping and that MySQL identifiers can also contain dangerous data (not a security issue, but it do can break page layout).
Any volunteers to write this down to the wiki? And I don't think this is limited to GSoC, but generally to any development.