On Sun, 10 Jun 2007, Matthew Seaman wrote:
 > Ian Smith wrote:
 > 
 > > Anyway, water under the bridge; phpMyAdmin 2.9.1 works fine, and I soon
 > > have another big upgrade to do (patiently awaiting xorg 7 packages :)
 > 
 > I take it you are aware of:
 > 
 > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-1
 > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-2
 > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-3
 > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-4

I am now, thanks.

 > and have taken steps to secure your phpMyAdmin installation.  Wrapping
 > phpMyAdmin inside HTTP Basic Auth is a good idea.  Even better if you
 > can also serve it via HTTPS.  Upgrading to the latest released version
 > (2.10.1) is certainly recommended.

I'm only running it on localhost currently for local database work, not
externally accessible, but your warnings are well appreciated.  Frankly
I don't have much confidence in PHP's security generally, let alone for
complex applications like phpMyAdmin using lots of javascript and such,
yet find pma the most useful thing for working with Mysql databases.

 > This isn't excessive paranoia -- there are webcrawlers in the wild
 > hunting for phpMyAdmin installations by trying all the common URLs
 > that PMA gets installed as, including what I recommend in the port.

Indeed it's not excessive; noticed here on Saturday on several sites on
a public server that's NOT running phpMyAdmin (all from this IP, fwiw):

87.106.25.69 - - [09/Jun/2007:18:05:44 +1000] "GET /phpmyadmin/main.php 
HTTP/1.0" 404 287 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:44 +1000] "GET /PMA/main.php HTTP/1.0" 404 
280 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:45 +1000] "GET /mysql/main.php HTTP/1.0" 
404 282 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:45 +1000] "GET /admin/main.php HTTP/1.0" 
401 471 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:46 +1000] "GET /db/main.php HTTP/1.0" 404 
279 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:46 +1000] "GET /dbadmin/main.php HTTP/1.0" 
404 284 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:47 +1000] "GET /web/phpMyAdmin/main.php 
HTTP/1.0" 404 291 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:47 +1000] "GET /admin/pma/main.php 
HTTP/1.0" 401 471 "-" "pmafind"

Cheers, Ian

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to