Php5 port and Apache Module
Ian Smith
smithi at nimnet.asn.au
Sun Jun 10 17:15:26 UTC 2007
On Sun, 10 Jun 2007, Matthew Seaman wrote:
> Ian Smith wrote:
>
> > Anyway, water under the bridge; phpMyAdmin 2.9.1 works fine, and I soon
> > have another big upgrade to do (patiently awaiting xorg 7 packages :)
>
> I take it you are aware of:
>
> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-1
> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-2
> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-3
> http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-4
I am now, thanks.
> and have taken steps to secure your phpMyAdmin installation. Wrapping
> phpMyAdmin inside HTTP Basic Auth is a good idea. Even better if you
> can also serve it via HTTPS. Upgrading to the latest released version
> (2.10.1) is certainly recommended.
I'm only running it on localhost currently for local database work, not
externally accessible, but your warnings are well appreciated. Frankly
I don't have much confidence in PHP's security generally, let alone for
complex applications like phpMyAdmin using lots of javascript and such,
yet find pma the most useful thing for working with Mysql databases.
> This isn't excessive paranoia -- there are webcrawlers in the wild
> hunting for phpMyAdmin installations by trying all the common URLs
> that PMA gets installed as, including what I recommend in the port.
Indeed it's not excessive; noticed here on Saturday on several sites on
a public server that's NOT running phpMyAdmin (all from this IP, fwiw):
87.106.25.69 - - [09/Jun/2007:18:05:44 +1000] "GET /phpmyadmin/main.php HTTP/1.0" 404 287 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:44 +1000] "GET /PMA/main.php HTTP/1.0" 404 280 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:45 +1000] "GET /mysql/main.php HTTP/1.0" 404 282 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:45 +1000] "GET /admin/main.php HTTP/1.0" 401 471 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:46 +1000] "GET /db/main.php HTTP/1.0" 404 279 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:46 +1000] "GET /dbadmin/main.php HTTP/1.0" 404 284 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:47 +1000] "GET /web/phpMyAdmin/main.php HTTP/1.0" 404 291 "-" "pmafind"
87.106.25.69 - - [09/Jun/2007:18:05:47 +1000] "GET /admin/pma/main.php HTTP/1.0" 401 471 "-" "pmafind"
Cheers, Ian
More information about the freebsd-questions
mailing list