maria-discuss team mailing list archive

Thread
Date

Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?

To: Reindl Harald <h.reindl@xxxxxxxxxxxxx>
From: Jeff Dyke <jeff.dyke@xxxxxxxxx>
Date: Wed, 17 Apr 2019 17:03:16 -0400
Cc: maria-discuss@xxxxxxxxxxxxxxxxxxx
In-reply-to: <74d93ae6-53e5-a9aa-f869-4a2c11bc9c63@thelounge.net>

I've done this and i'm doing this, its not hard, everyone that needs db
access can read a readme and give me a public key in a matter of seconds.
I'll take SSH over http-auth and a freaken app that can drop
tables/database via a SQL injection bug any day of the week.  Granted that
could be from poor user management, as NOONE has access to do anything
destructive.

I really don't care if you don't believe me, b/c this process has been
fluid with 0 issues since i started using it about 6 years ago.  Oh and
yesterdays users were 100% ordinary users (it doesn't get much more
ordinary than marketing), they were added to the slave group with select
only, and didn't get added to anything production related.

To your next email, phpMyAdmin will never be part of a production stack.
I'll trust that you know how to handle your users and trust that I will do
what i feel is best for me.

On Wed, Apr 17, 2019 at 4:43 PM Reindl Harald <h.reindl@xxxxxxxxxxxxx>
wrote:

>
>
> Am 17.04.19 um 22:39 schrieb Jeff Dyke:
> > How can you say it doesn't scale when you have now idea how i'm set up.
> > I had to add 5 users yesterday, took 5-10 (mostly talking to people)
> > minutes.  Using a config mgmt system i set up ssh and mysql in the same
> > single call to multiple database servers some users will have multiple
> > logins based on the ability to read and the ability to write, which
> > based on the configured security group.  It scales quite well indeed and
> > i don't have to worry about a php application were security risks are
> > more prone to come with each update.  Also http-auth takes admin as
> well.
>
> yeah, explain ordianry users how to get ssh-certificates all day long
> and don't come with "but for the tunnel password auth is enough" when
> you weaken the most cruial service on a systemd for a damend web
> application
>
> _______________________________________________
> Mailing list: https://launchpad.net/~maria-discuss
> Post to     : maria-discuss@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~maria-discuss
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Reindl Harald, 2019-04-17

References

How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Turritopsis Dohrnii Teo En Ming, 2019-04-17
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Reindl Harald, 2019-04-17
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Jeff Dyke, 2019-04-17
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Reindl Harald, 2019-04-17
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Jeff Dyke, 2019-04-17
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Reindl Harald, 2019-04-17
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Jeff Dyke, 2019-04-17
Re: How do I determine if versions of phpMyAdmin before 4.8.5 is SQL Injectable using sqlmap?
From: Reindl Harald, 2019-04-17