[Phpmyadmin-devel] MAJOR security hole

Marc Delisle Delislma at CollegeSherbrooke.qc.ca
Mon Aug 12 07:09:02 CEST 2002

Robin Johnson wrote:

> Hi Guys,
> And other nefarious things. I found a few sites where I could access their
> entire database with full rights, even some where they have configured the
> user to root and I could change the mysql database.

I know at least one distribution of Linux that installs MySQL with user
root and no password.

Let's add a red warning when we detect that they are using 'config' auth 
mode, with a blank password, to try to educate the admin of this system.

> This is what we need to do to fix it:
> 1. All served up pages should contain directives to instruct search robots
> not to index the files. This will stop so many sites being listed in the
> search engines.
> 2. We should deprecate the user/password standard login, or add a bit of
> technology to it. We should throw up a login page of our own, that should
> authenticate against a user/password pair in an array inside the
> configuration file. It might be possible to keep the automatic login of
> user/password, but it should not be enabled by default, for security.
> And the configuration option to turn that unsecure method back on should
> have huge warnings around it.

Marc Delisle

More information about the Developers mailing list