[Phpmyadmin-devel] about arbitrary auth_type
Michal Cihar
nijel at users.sourceforge.net
Thu Sep 11 10:13:55 CEST 2003
Hi all
Original message (Rabus, 11.09.2003 11:47):
> It has to be possible to disable the arbitary server mode. Not for cosmetic
> reasons: for security reasons!
>
> Let's imagin a small company network with two servers: server 1 and server
> 2, both running the MySQL server software.
> Server 1 is connected to the internet permanently. The MySQL database on
> server 1 sometimes has to be accessed from outside the network. This is why
> the sysadmin installed phpMyAdmin on server 1.
>
> The MySQL server on server 2 contains serious data and may not be accessible
> from the internet. Nevertheless, this database powers some php scripts
> running on server 1, so server 1 has to be able to connect to server 2's
> MySQL database.
>
> In this case, phpMyAdmin would be a security hole, if the arbitrary server
> mode wouldn't be configurable.
>
> In addition to this, an internet user would not only be able to access
> server 1 and 2, he would also be able to use the owner's bandwidth to access
> thousands of different servers all over the world.
I completely agree, I thought there could be some security problems...
The question now is how to make it:
- keep arbitrary auth is as separate auth method
- merge it with cookie and add option for enabling it
Comments?
--
Regards
Michal Cihar
http://cihar.com
More information about the Developers
mailing list