|

»

»

phpmyadmin-users

safe to leave phpmyadmin on a production server??

View: New views

4 Messages — Rating Filter: Alert me

	safe to leave phpmyadmin on a production server?? by Christopher Bruno :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hello, I am a user of phpmyadmin and leave it accessible on my server (password protected) so I can remotely manage my database (add/delete rows of a table). A IT guy I know called me a dumbass for doing this, saying it isnt safe and that I am inviting trouble. He uses the MySQL Administrator GUI. I dont see a difference - in either case if you can only gain access if you have the username and password. Who is wrong? -- Chris Bruno n! Labs ------------------------------------------------------------------------------ _______________________________________________ Phpmyadmin-users mailing list Phpmyadmin-users@... https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users
	Re: safe to leave phpmyadmin on a production server?? by Marc Delisle-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Christopher Bruno a écrit : > Hello, > > I am a user of phpmyadmin and leave it accessible on my server (password > protected) so I can remotely manage my database (add/delete rows of a > table). A IT guy I know called me a dumbass for doing this, saying it > isnt safe and that I am inviting trouble. He uses the MySQL > Administrator GUI. I dont see a difference - in either case if you can > only gain access if you have the username and password. Who is wrong? Hi, well, as you might know, 100% security does not exist on the Web -- at least this is what I was told. So, a web application like phpMyAdmin is prone to brute-force attacks. In Documentation.html, FAQ 8.2, we talk about how to report these attacks if you are running Apache. In short, between saying "it's not safe" and saying "it's 100% safe" there is a margin where phpMyAdmin lives. I don't remember any report in our PMASA advisories that permitted someone to log in without the correct credentials, mostly because these are verified by the MySQL server. -- Marc Delisle http://infomarc.info ------------------------------------------------------------------------------ _______________________________________________ Phpmyadmin-users mailing list Phpmyadmin-users@... https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users
	Re: safe to leave phpmyadmin on a production server?? by UP-9 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Mon, 29 Jun 2009, Marc Delisle wrote: > Christopher Bruno a écrit : >> Hello, >> >> I am a user of phpmyadmin and leave it accessible on my server (password >> protected) so I can remotely manage my database (add/delete rows of a >> table). A IT guy I know called me a dumbass for doing this, saying it >> isnt safe and that I am inviting trouble. He uses the MySQL >> Administrator GUI. I dont see a difference - in either case if you can >> only gain access if you have the username and password. Who is wrong? > > Hi, > well, as you might know, 100% security does not exist on the Web -- at > least this is what I was told. So, a web application like phpMyAdmin > is prone to brute-force attacks. In Documentation.html, FAQ 8.2, we talk > about how to report these attacks if you are running Apache. > > In short, between saying "it's not safe" and saying "it's 100% safe" > there is a margin where phpMyAdmin lives. > > I don't remember any report in our PMASA advisories that permitted > someone to log in without the correct credentials, mostly because these > are verified by the MySQL server. phpMyAdmin, at least in this regard, is no different from any other authenticated server. sshd, ftpd, telnetd, pop3d, etc. Like those, there are measures to deal with brute force attacks by firewalling the attacking IP after a certain number of failed login attempts. James Smallacombe PlantageNet, Inc. CEO and Janitor up@... http://3.am ========================================================================= ------------------------------------------------------------------------------ _______________________________________________ Phpmyadmin-users mailing list Phpmyadmin-users@... https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users
	Re: safe to leave phpmyadmin on a production server?? by Christopher Bruno :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message thanks for the feedback. Sounds like phpmyadmin is safe as any other popular db manager -- i guess Im dealing with one of those IT professionals who like to debate competing solutions for the reason of making themself feel important. On Wed, Jul 1, 2009 at 8:14 AM, <up@...> wrote: On Mon, 29 Jun 2009, Marc Delisle wrote: Christopher Bruno a écrit : Hello, I am a user of phpmyadmin and leave it accessible on my server (password protected) so I can remotely manage my database (add/delete rows of a table). A IT guy I know called me a dumbass for doing this, saying it isnt safe and that I am inviting trouble. He uses the MySQL Administrator GUI. I dont see a difference - in either case if you can only gain access if you have the username and password. Who is wrong? Hi, well, as you might know, 100% security does not exist on the Web -- at least this is what I was told. So, a web application like phpMyAdmin is prone to brute-force attacks. In Documentation.html, FAQ 8.2, we talk about how to report these attacks if you are running Apache. In short, between saying "it's not safe" and saying "it's 100% safe" there is a margin where phpMyAdmin lives. I don't remember any report in our PMASA advisories that permitted someone to log in without the correct credentials, mostly because these are verified by the MySQL server. phpMyAdmin, at least in this regard, is no different from any other authenticated server. sshd, ftpd, telnetd, pop3d, etc. Like those, there are measures to deal with brute force attacks by firewalling the attacking IP after a certain number of failed login attempts. James Smallacombe PlantageNet, Inc. CEO and Janitor up@... http://3.am ========================================================================= -- Chris Bruno n! Labs ------------------------------------------------------------------------------ _______________________________________________ Phpmyadmin-users mailing list Phpmyadmin-users@... https://lists.sourceforge.net/lists/listinfo/phpmyadmin-users