[Phpmyadmin-devel] MAJOR security hole
mike.beck at ibmiller.de
Mon Aug 12 00:49:01 CEST 2002
> 2. We should deprecate the user/password standard login, or add a bit of
> technology to it. We should throw up a login page of our own, that should
> authenticate against a user/password pair in an array inside the
> configuration file. It might be possible to keep the automatic login of
> user/password, but it should not be enabled by default, for security.
> And the configuration option to turn that unsecure method back on should
> have huge warnings around it.
i agree there, actually i was rather shocked to read an article about
phpMyAdmin in the german 'Linux Magazine' last week where they talked about
how to configure it and said, that usually it is ok to leave the standard
entry of 'root' (without a password) there! So that guy writing the article
seems to think it is normal to set up a MySQL Server without giving a
password for root and he understands our config.inc.php3 to suggest it
should be like that... well i think i'll send them a readers letter but also
we should change the doku and the config.inc. to more explicitely propose
using of http or cookie protection.
More information about the Developers