maria-discuss team mailing list archive

Thread
Date

Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

To: maria-discuss@xxxxxxxxxxxxxxxxxxx
From: Reindl Harald <h.reindl@xxxxxxxxxxxxx>
Date: Wed, 17 Apr 2019 19:18:28 +0200
In-reply-to: <CAHmnZdbm12EkMyVEvi9uBx5f5MSP1ioJkpenwKUFCtbxEXoeLQ@mail.gmail.com>
Openpgp: id=9D2B46CDBC140A36753AE4D733174D5A5892B7B8; url=https://arrakis-tls.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
Organization: the lounge interactive design
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1


Am 17.04.19 um 18:55 schrieb Jeff Dyke:
> Reindl's (funny) comments aside.  Why still use phpMyAdmin in this day
> and age.  Nearly every maria/percona/mysql client supports ssh
> tunneling.  SequelPro on Mac, Heidi (or others) on Windows, and any
> windows client running through wine if your desktop/laptop is linux. 
> Also developers can just use intellij or similar IDE's that have a
> database pane. 
> 
> Trusting administration to an exposed phpMyAdmin in this day and age
> frightens me greatly.  Also if you had an HIDS server running to track
> bad phpMyAdmin logins i bet there would be a ton of alerts.  I've
> blocked all such attempts in my IPS even though i don't have phpMyAdmin.
> 
> I realize this does not answer your question, but if this fits into your
> architecture i'd say good by to that web interface.

because it's nonsense to believe that you can manage to handle everybody
which probably needs to access mysql with his restricted account to
learn how to use ssh-tunnles

and that you are plain wrong when you believe hand out ssh tunnels into
your network for every random monkey increases security

not talking about that he is obviously a 3rd party to a customer where
you have no say in that context

the problem is *exposing* phpMyAdmin for the whole world and asking
stupid questions like which version before the latest one instead just
update it and when you are too dumb building packages for the target OS
hire some one which is capable to do so or unpack that dmaned folder ph hand

> On Wed, Apr 17, 2019 at 10:54 AM Reindl Harald <h.reindl@xxxxxxxxxxxxx
> <mailto:h.reindl@xxxxxxxxxxxxx>> wrote:
> 
> 
> 
>     Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming:
>     > Subject/Topic: How do I determine if versions of phpMyAdmin before
>     4.8.5 is SQL Injectable using sqlmap?
> 
>     frankly are you drunken?
> 
>     you posted this exactly same message to
> 
>     * phpmyadmin list TWICE
>     * oracle mysql list
>     * now mariadb list
> 
>     i seriously looked if my mailserver has a problem - stop it damned!

Follow ups

Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Jeff Dyke, 2019-04-17

References

How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Turritopsis Dohrnii Teo En Ming, 2019-04-17
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Reindl Harald, 2019-04-17
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Jeff Dyke, 2019-04-17