← Back to team overview

maria-discuss team mailing list archive

Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

 

How can you say it doesn't scale when you have now idea how i'm set up.  I
had to add 5 users yesterday, took 5-10 (mostly talking to people)
minutes.  Using a config mgmt system i set up ssh and mysql in the same
single call to multiple database servers some users will have multiple
logins based on the ability to read and the ability to write, which based
on the configured security group.  It scales quite well indeed and i don't
have to worry about a php application were security risks are more prone to
come with each update.  Also http-auth takes admin as well.

aside from that, i'm done here.  We obviously disagree, i'm strictly
offering another view point and i happen to have the infrastructure in
place to make it quick and simple (both additions and deletions) and why
would i let external people access my database, in all the jobs i've had
this has never been a requirement, and i'm old, but that doesn't mean it's
not a requirement for some.

You do what works for you and i'll do the same.

Best,
Jeff

On Wed, Apr 17, 2019 at 2:46 PM Reindl Harald <h.reindl@xxxxxxxxxxxxx>
wrote:

> i yet need to see the difference between SSH tunnels and all the
> administrative burden versus phpMyAdmin behind http-auth long before
> it's native login
>
> your stuff don't scale on a setup with external users which for sure
> don't get ssh-tunnels or much worser vpn access and without external
> users the whole issue don't exist
>
> Am 17.04.19 um 19:30 schrieb Jeff Dyke:
> > I appreciate your points, but i don't give them out to 'every random
> > monkey', that would completely against the setup I've chosen.  Showing
> > someone how to ssh-tunnel via putty is not hard, and is only once and
> > can be documented.  The people that i give ssh access to are managed
> > centrally via a config mgmt system and they only have access to the
> > bastion host, and are not users on any other host.  Also they can only
> > connect to mysql from that host(which really doesn't matter since they
> > can't get to another host).  And my point really mainly is for cloud
> > infrastructures; if you're on a corporate network, hopefully the
> > sysadmin has installed a VPN which can be used and then you can VPN to
> > the network and connect like you're local, which you could also do in
> > the cloud.
> >
> > So IMHO it is much more secure, perhaps the way it's set up here and
> > again it's just my 2 cents.  SSH Tunnels to a bastion host that is not
> > allowed to talk to another host will always be more secure than any
> > phpMyAdmin configuration.
> >
> > Again, i appreciate your point of view, but wanted to qualify some of my
> > answers.
> >
> > On Wed, Apr 17, 2019 at 1:18 PM Reindl Harald <h.reindl@xxxxxxxxxxxxx
> > <mailto:h.reindl@xxxxxxxxxxxxx>> wrote:
> >
> >
> >
> >     Am 17.04.19 um 18:55 schrieb Jeff Dyke:
> >     > Reindl's (funny) comments aside.  Why still use phpMyAdmin in this
> day
> >     > and age.  Nearly every maria/percona/mysql client supports ssh
> >     > tunneling.  SequelPro on Mac, Heidi (or others) on Windows, and any
> >     > windows client running through wine if your desktop/laptop is
> linux.
> >     > Also developers can just use intellij or similar IDE's that have a
> >     > database pane.
> >     >
> >     > Trusting administration to an exposed phpMyAdmin in this day and
> age
> >     > frightens me greatly.  Also if you had an HIDS server running to
> track
> >     > bad phpMyAdmin logins i bet there would be a ton of alerts.  I've
> >     > blocked all such attempts in my IPS even though i don't have
> >     phpMyAdmin.
> >     >
> >     > I realize this does not answer your question, but if this fits
> >     into your
> >     > architecture i'd say good by to that web interface.
> >
> >     because it's nonsense to believe that you can manage to handle
> everybody
> >     which probably needs to access mysql with his restricted account to
> >     learn how to use ssh-tunnles
> >
> >     and that you are plain wrong when you believe hand out ssh tunnels
> into
> >     your network for every random monkey increases security
> >
> >     not talking about that he is obviously a 3rd party to a customer
> where
> >     you have no say in that context
> >
> >     the problem is *exposing* phpMyAdmin for the whole world and asking
> >     stupid questions like which version before the latest one instead
> just
> >     update it and when you are too dumb building packages for the target
> OS
> >     hire some one which is capable to do so or unpack that dmaned folder
> >     ph hand
> >
> >     > On Wed, Apr 17, 2019 at 10:54 AM Reindl Harald
> >     <h.reindl@xxxxxxxxxxxxx <mailto:h.reindl@xxxxxxxxxxxxx>
> >     > <mailto:h.reindl@xxxxxxxxxxxxx <mailto:h.reindl@xxxxxxxxxxxxx>>>
> >     wrote:
> >     >
> >     >
> >     >
> >     >     Am 17.04.19 um 16:50 schrieb Turritopsis Dohrnii Teo En Ming:
> >     >     > Subject/Topic: How do I determine if versions of phpMyAdmin
> >     before
> >     >     4.8.5 is SQL Injectable using sqlmap?
> >     >
> >     >     frankly are you drunken?
> >     >
> >     >     you posted this exactly same message to
> >     >
> >     >     * phpmyadmin list TWICE
> >     >     * oracle mysql list
> >     >     * now mariadb list
> >     >
> >     >     i seriously looked if my mailserver has a problem - stop it
> >     damned!
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

References