[Phpmyadmin-devel] insecure login

Marc Delisle marc at infomarc.info
Tue Oct 26 11:09:36 CEST 2010


Le 2010-10-26 02:57, Rohit Kalhans a écrit :
> Isn't the secure sending of the username and password supposed to be
> supported by the SSL connection between the client browser and the server
> hosting PMA. i.e  hosting PMA on a server using https protocol?

Indeed. Also, using https covers not only the login phase but also all
data sent and received afterwards, which might contain sensitive info.

> 
> On Tue, Oct 26, 2010 at 5:12 AM, Peter Miller <petermiller1986 at gmail.com>wrote:
> 
>> hi,
>> i've recently been ramping up security on my server and i realised that
>> phpmyadmin sends the username and password in plaintext accross the http
>> connection from client to server when loging in. this seems like quite a
>> security hole, so i just thought i'd see if there are any other options to
>> use encryption on the username and password for the login page? i've had a
>> bit of a look though the code but i couldnt see any options to 'turn on' a
>> higher level of security so i'm guessing there currently isnt one. that
>> being the case i'd be keen to implement a more secure login.
>>
>> what are everyone's thoughts on this?
>>
>> cheers
>> pete



-- 
Marc Delisle
http://infomarc.info




More information about the Developers mailing list