← Back to team overview

maria-discuss team mailing list archive

Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?


i yet need to see the difference between SSH tunnels and all the
administrative burden versus phpMyAdmin behind http-auth long before
it's native login

your stuff don't scale on a setup with external users which for sure
don't get ssh-tunnels or much worser vpn access and without external
users the whole issue don't exist

Am 17.04.19 um 19:30 schrieb Jeff Dyke:
> I appreciate your points, but i don't give them out to 'every random
> monkey', that would completely against the setup I've chosen.  Showing
> someone how to ssh-tunnel via putty is not hard, and is only once and
> can be documented.  The people that i give ssh access to are managed
> centrally via a config mgmt system and they only have access to the
> bastion host, and are not users on any other host.  Also they can only
> connect to mysql from that host(which really doesn't matter since they
> can't get to another host).  And my point really mainly is for cloud
> infrastructures; if you're on a corporate network, hopefully the
> sysadmin has installed a VPN which can be used and then you can VPN to
> the network and connect like you're local, which you could also do in
> the cloud.
> So IMHO it is much more secure, perhaps the way it's set up here and
> again it's just my 2 cents.  SSH Tunnels to a bastion host that is not
> allowed to talk to another host will always be more secure than any
> phpMyAdmin configuration.
> Again, i appreciate your point of view, but wanted to qualify some of my
> answers.
> On Wed, Apr 17, 2019 at 1:18 PM Reindl Harald <h.reindl@xxxxxxxxxxxxx
> <mailto:h.reindl@xxxxxxxxxxxxx>> wrote:
>     Am 17.04.19 um 18:55 schrieb Jeff Dyke:
>     > Reindl's (funny) comments aside.  Why still use phpMyAdmin in this day
>     > and age.  Nearly every maria/percona/mysql client supports ssh
>     > tunneling.  SequelPro on Mac, Heidi (or others) on Windows, and any
>     > windows client running through wine if your desktop/laptop is linux. 
>     > Also developers can just use intellij or similar IDE's that have a
>     > database pane. 
>     >
>     > Trusting administration to an exposed phpMyAdmin in this day and age
>     > frightens me greatly.  Also if you had an HIDS server running to track
>     > bad phpMyAdmin logins i bet there would be a ton of alerts.  I've
>     > blocked all such attempts in my IPS even though i don't have
>     phpMyAdmin.
>     >
>     > I realize this does not answer your question, but if this fits
>     into your
>     > architecture i'd say good by to that web interface.
>     because it's nonsense to believe that you can manage to handle everybody
>     which probably needs to access mysql with his restricted account to
>     learn how to use ssh-tunnles
>     and that you are plain wrong when you believe hand out ssh tunnels into
>     your network for every random monkey increases security
>     not talking about that he is obviously a 3rd party to a customer where
>     you have no say in that context
>     the problem is *exposing* phpMyAdmin for the whole world and asking
>     stupid questions like which version before the latest one instead just
>     update it and when you are too dumb building packages for the target OS
>     hire some one which is capable to do so or unpack that dmaned folder
>     ph hand
>     > On Wed, Apr 17, 2019 at 10:54 AM Reindl Harald
>     <h.reindl@xxxxxxxxxxxxx <mailto:h.reindl@xxxxxxxxxxxxx>
>     > <mailto:h.reindl@xxxxxxxxxxxxx <mailto:h.reindl@xxxxxxxxxxxxx>>>
>     wrote:
>     >
>     >
>     >
>     >     Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming:
>     >     > Subject/Topic: How do I determine if versions of phpMyAdmin
>     before
>     >     4.8.5 is SQL Injectable using sqlmap?
>     >
>     >     frankly are you drunken?
>     >
>     >     you posted this exactly same message to
>     >
>     >     * phpmyadmin list TWICE
>     >     * oracle mysql list
>     >     * now mariadb list
>     >
>     >     i seriously looked if my mailserver has a problem - stop it
>     damned!

Follow ups