[Phpmyadmin-devel] AllowArbitraryServer and synchronisation

Michal Čihař michal at cihar.com
Mon Jan 31 16:19:49 CET 2011


Hi

Dne Fri, 28 Jan 2011 11:33:32 -0500
Marc Delisle <marc at infomarc.info> napsal(a):

> Michal Čihař a écrit :
> > Hi all
> > 
> > for security reasons we have chosen AllowArbitraryServer to be disabled
> > by default. On the other side we have synchronization feature which
> > allows to connect to arbitrary server as well and fetch any data from
> > it.
> > 
> > I think this disproportion should be fixed. I can see two approaches:
> > 
> > 1. The other option would be to drop AllowArbitraryServer completely as
> > right now it really does not bring any security.
> 
> I'm not in favor.
> > 
> > 2. Make AllowArbitraryServer really work as expected:
> > - Make AllowArbitraryServer enabled by default. I don't think the risk
> >   is too big and many people would use this feature.
> 
> I'm also not in favor, because of the increased risk. By doing so by 
> default we open the door to access (or try to access) any MySQL server 
> reachable by this web server.
> 
> I also don't like the extra "Server" question that this would bring.
> 
> > - If AllowArbitraryServer is set to false, disallow synchronization
> >   with arbitrary server as well.
> 
> I am in favor of this suggestion.

As there are no other comments to this, I've filed bug #3168733 [1] to
track this problem.

[1]:https://sourceforge.net/tracker/?func=detail&aid=3168733&group_id=23067&atid=377408

-- 
	Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20110131/a91889f3/attachment.sig>


More information about the Developers mailing list