Date: Mon, 11 Jun 2007 03:14:22 +1000 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Matthew Seaman <m.seaman@infracaninophile.co.uk> Cc: Jonathan Horne <freebsd@dfwlp.com>, bob@a1poweruser.com, Christopher Hilton <chris@vindaloo.com>, freebsd-questions@freebsd.org Subject: Re: Php5 port and Apache Module Message-ID: <Pine.BSF.3.96.1070611024620.3978C-100000@gaia.nimnet.asn.au> In-Reply-To: <466C040E.4080309@infracaninophile.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 10 Jun 2007, Matthew Seaman wrote: > Ian Smith wrote: > > > Anyway, water under the bridge; phpMyAdmin 2.9.1 works fine, and I soon > > have another big upgrade to do (patiently awaiting xorg 7 packages :) > > I take it you are aware of: > > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-1 > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-2 > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-3 > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-4 I am now, thanks. > and have taken steps to secure your phpMyAdmin installation. Wrapping > phpMyAdmin inside HTTP Basic Auth is a good idea. Even better if you > can also serve it via HTTPS. Upgrading to the latest released version > (2.10.1) is certainly recommended. I'm only running it on localhost currently for local database work, not externally accessible, but your warnings are well appreciated. Frankly I don't have much confidence in PHP's security generally, let alone for complex applications like phpMyAdmin using lots of javascript and such, yet find pma the most useful thing for working with Mysql databases. > This isn't excessive paranoia -- there are webcrawlers in the wild > hunting for phpMyAdmin installations by trying all the common URLs > that PMA gets installed as, including what I recommend in the port. Indeed it's not excessive; noticed here on Saturday on several sites on a public server that's NOT running phpMyAdmin (all from this IP, fwiw): 87.106.25.69 - - [09/Jun/2007:18:05:44 +1000] "GET /phpmyadmin/main.php HTTP/1.0" 404 287 "-" "pmafind" 87.106.25.69 - - [09/Jun/2007:18:05:44 +1000] "GET /PMA/main.php HTTP/1.0" 404 280 "-" "pmafind" 87.106.25.69 - - [09/Jun/2007:18:05:45 +1000] "GET /mysql/main.php HTTP/1.0" 404 282 "-" "pmafind" 87.106.25.69 - - [09/Jun/2007:18:05:45 +1000] "GET /admin/main.php HTTP/1.0" 401 471 "-" "pmafind" 87.106.25.69 - - [09/Jun/2007:18:05:46 +1000] "GET /db/main.php HTTP/1.0" 404 279 "-" "pmafind" 87.106.25.69 - - [09/Jun/2007:18:05:46 +1000] "GET /dbadmin/main.php HTTP/1.0" 404 284 "-" "pmafind" 87.106.25.69 - - [09/Jun/2007:18:05:47 +1000] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 291 "-" "pmafind" 87.106.25.69 - - [09/Jun/2007:18:05:47 +1000] "GET /admin/pma/main.php HTTP/1.0" 401 471 "-" "pmafind" Cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.1070611024620.3978C-100000>