[Phpmyadmin-devel] MAJOR security hole
Delislma at CollegeSherbrooke.qc.ca
Mon Aug 12 07:09:02 CEST 2002
Robin Johnson wrote:
> Hi Guys,
> And other nefarious things. I found a few sites where I could access their
> entire database with full rights, even some where they have configured the
> user to root and I could change the mysql database.
I know at least one distribution of Linux that installs MySQL with user
root and no password.
Let's add a red warning when we detect that they are using 'config' auth
mode, with a blank password, to try to educate the admin of this system.
> This is what we need to do to fix it:
> 1. All served up pages should contain directives to instruct search robots
> not to index the files. This will stop so many sites being listed in the
> search engines.
> 2. We should deprecate the user/password standard login, or add a bit of
> technology to it. We should throw up a login page of our own, that should
> authenticate against a user/password pair in an array inside the
> configuration file. It might be possible to keep the automatic login of
> user/password, but it should not be enabled by default, for security.
> And the configuration option to turn that unsecure method back on should
> have huge warnings around it.
More information about the Developers