maria-discuss team mailing list archive
-
maria-discuss team
-
Mailing list archive
-
Message #05418
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
i yet need to see the difference between SSH tunnels and all the
administrative burden versus phpMyAdmin behind http-auth long before
it's native login
your stuff don't scale on a setup with external users which for sure
don't get ssh-tunnels or much worser vpn access and without external
users the whole issue don't exist
Am 17.04.19 um 19:30 schrieb Jeff Dyke:
> I appreciate your points, but i don't give them out to 'every random
> monkey', that would completely against the setup I've chosen. Showing
> someone how to ssh-tunnel via putty is not hard, and is only once and
> can be documented. The people that i give ssh access to are managed
> centrally via a config mgmt system and they only have access to the
> bastion host, and are not users on any other host. Also they can only
> connect to mysql from that host(which really doesn't matter since they
> can't get to another host). And my point really mainly is for cloud
> infrastructures; if you're on a corporate network, hopefully the
> sysadmin has installed a VPN which can be used and then you can VPN to
> the network and connect like you're local, which you could also do in
> the cloud.
>
> So IMHO it is much more secure, perhaps the way it's set up here and
> again it's just my 2 cents. SSH Tunnels to a bastion host that is not
> allowed to talk to another host will always be more secure than any
> phpMyAdmin configuration.
>
> Again, i appreciate your point of view, but wanted to qualify some of my
> answers.
>
> On Wed, Apr 17, 2019 at 1:18 PM Reindl Harald <h.reindl@xxxxxxxxxxxxx
> <mailto:h.reindl@xxxxxxxxxxxxx>> wrote:
>
>
>
> Am 17.04.19 um 18:55 schrieb Jeff Dyke:
> > Reindl's (funny) comments aside. Why still use phpMyAdmin in this day
> > and age. Nearly every maria/percona/mysql client supports ssh
> > tunneling. SequelPro on Mac, Heidi (or others) on Windows, and any
> > windows client running through wine if your desktop/laptop is linux.
> > Also developers can just use intellij or similar IDE's that have a
> > database pane.
> >
> > Trusting administration to an exposed phpMyAdmin in this day and age
> > frightens me greatly. Also if you had an HIDS server running to track
> > bad phpMyAdmin logins i bet there would be a ton of alerts. I've
> > blocked all such attempts in my IPS even though i don't have
> phpMyAdmin.
> >
> > I realize this does not answer your question, but if this fits
> into your
> > architecture i'd say good by to that web interface.
>
> because it's nonsense to believe that you can manage to handle everybody
> which probably needs to access mysql with his restricted account to
> learn how to use ssh-tunnles
>
> and that you are plain wrong when you believe hand out ssh tunnels into
> your network for every random monkey increases security
>
> not talking about that he is obviously a 3rd party to a customer where
> you have no say in that context
>
> the problem is *exposing* phpMyAdmin for the whole world and asking
> stupid questions like which version before the latest one instead just
> update it and when you are too dumb building packages for the target OS
> hire some one which is capable to do so or unpack that dmaned folder
> ph hand
>
> > On Wed, Apr 17, 2019 at 10:54 AM Reindl Harald
> <h.reindl@xxxxxxxxxxxxx <mailto:h.reindl@xxxxxxxxxxxxx>
> > <mailto:h.reindl@xxxxxxxxxxxxx <mailto:h.reindl@xxxxxxxxxxxxx>>>
> wrote:
> >
> >
> >
> > Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming:
> > > Subject/Topic: How do I determine if versions of phpMyAdmin
> before
> > 4.8.5 is SQL Injectable using sqlmap?
> >
> > frankly are you drunken?
> >
> > you posted this exactly same message to
> >
> > * phpmyadmin list TWICE
> > * oracle mysql list
> > * now mariadb list
> >
> > i seriously looked if my mailserver has a problem - stop it
> damned!
Follow ups
References
