« Return to Thread: Compare phpMyAdmin with Adminer
Re: Compare phpMyAdmin with Adminer
by Jakub Vrána
::
Rate this Message:
>> Other solution would be to require a secure token in the URL of each page
>
> What is something we already do for several years (I think I've
> implemented it somewhere in 2006). And hey, it is still possible to
> bookmark pages.
Current solution does not prevent the same-domain ClickJacking because
if you access for example http://localhost/phpMyAdmin/?db=cds (without
token) then phpMyAdmin still happily works.
> Anyway it is nice that it allows you to
> collect sensitive information on adminer.org :-). I think it rather
> should not leave the server where application is running, so there
> should be redirect done in the application itself (and that's actually
> what I've implemented in phpMyAdmin). Redirecting using external
> service hides also location of the application itself, but also makes
> you dependent on the external service.
I suppose that if you trust Adminer then you trust also its web site
;-). The best hiding method is running HTTPS which hides the referer
automatically - this is same for both tools. Redirect inside the
application unfortunately can't hide the URL of the application. Your
today's solution is not perfect (there is a needless redirect under
HTTPS) but it is a progress.
I'm really glad that my comparison lead to improving phpMyAdmin somehow:
http://j.mp/ic9zPq
Jakub Vrána
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Phpmyadmin-users mailing list
Phpmyadmin-users@...
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users
>
> What is something we already do for several years (I think I've
> implemented it somewhere in 2006). And hey, it is still possible to
> bookmark pages.
Current solution does not prevent the same-domain ClickJacking because
if you access for example http://localhost/phpMyAdmin/?db=cds (without
token) then phpMyAdmin still happily works.
> Anyway it is nice that it allows you to
> collect sensitive information on adminer.org :-). I think it rather
> should not leave the server where application is running, so there
> should be redirect done in the application itself (and that's actually
> what I've implemented in phpMyAdmin). Redirecting using external
> service hides also location of the application itself, but also makes
> you dependent on the external service.
I suppose that if you trust Adminer then you trust also its web site
;-). The best hiding method is running HTTPS which hides the referer
automatically - this is same for both tools. Redirect inside the
application unfortunately can't hide the URL of the application. Your
today's solution is not perfect (there is a needless redirect under
HTTPS) but it is a progress.
I'm really glad that my comparison lead to improving phpMyAdmin somehow:
http://j.mp/ic9zPq
Jakub Vrána
------------------------------------------------------------------------------
Special Offer-- Download ArcSight Logger for FREE (a $49 USD value)!
Finally, a world-class log management solution at an even better price-free!
Download using promo code Free_Logger_4_Dev2Dev. Offer expires
February 28th, so secure your free ArcSight Logger TODAY!
http://p.sf.net/sfu/arcsight-sfd2d
_______________________________________________
Phpmyadmin-users mailing list
Phpmyadmin-users@...
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users
« Return to Thread: Compare phpMyAdmin with Adminer
| Free embeddable forum powered by Nabble | Forum Help |
