Hi all
Original message (Rabus, 11.09.2003 11:47):
It has to be possible to disable the arbitary server mode. Not for cosmetic reasons: for security reasons!
Let's imagin a small company network with two servers: server 1 and server 2, both running the MySQL server software. Server 1 is connected to the internet permanently. The MySQL database on server 1 sometimes has to be accessed from outside the network. This is why the sysadmin installed phpMyAdmin on server 1.
The MySQL server on server 2 contains serious data and may not be accessible from the internet. Nevertheless, this database powers some php scripts running on server 1, so server 1 has to be able to connect to server 2's MySQL database.
In this case, phpMyAdmin would be a security hole, if the arbitrary server mode wouldn't be configurable.
In addition to this, an internet user would not only be able to access server 1 and 2, he would also be able to use the owner's bandwidth to access thousands of different servers all over the world.
I completely agree, I thought there could be some security problems... The question now is how to make it:
- keep arbitrary auth is as separate auth method - merge it with cookie and add option for enabling it
Comments?