+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: General discussion (/forum-11.html)
+--- Thread: PMA Auto Login / Prevent users not logged in to access PMA (/thread-1417.html)
Pages: 1 2
PMA Auto Login / Prevent users not logged in to access PMA - Breaki - 09-28-2007 09:35 PM
This post replys to #154 and #358.
The code for auto login is ready, but whats about #154 (phpMyAdmin should be in restricted are) ? At the moment my script prevents all access to the ispCP PMA if the users is not logged into ispCP (redirected to login page), but with a little change it would be possible to allow it to all again. I think this would increase the security against scanners who try /tools/pma/ .
What do you think about it?
(I don't think that i can release the code today, because i am the whole weekend away
)
RE: PMA Auto Login / Prevent users not logged in to access PMA - Zothos - 09-28-2007 11:47 PM
I personaly disagree with that. Im working very often just at the pma. And if i have to login first, and then login into pma. Wouldnt be a sullution i prefere
RE: PMA Auto Login / Prevent users not logged in to access PMA - joximu - 09-29-2007 05:15 AM
Zothos Wrote:I personaly disagree with that. Im working very often just at the pma. And if i have to login first, and then login into pma. Wouldnt be a sullution i prefere
I agree with Zothos - on the other side:
you can install another pma with another security (ssl :-) and use this one.
For the customers you can use the way Breaki is describing...
Well - maybe there are some developpers who doesn't like the "via ispcp" way. Maybe they install their own pma on the site - and this is worse... isn't it?
/Joximu
RE: PMA Auto Login / Prevent users not logged in to access PMA - Zothos - 09-29-2007 05:32 AM
hm, you are right joximu.
In my use case this would be not a good solution. But when looking at the normal use case. It would incease the security. Maybe its worth getting this into core.
And its done this way on other control panels, too. I have seen it on the 1und1 ( A German hosting provider ) control panel, just as a example.
RE: PMA Auto Login / Prevent users not logged in to access PMA - joximu - 09-29-2007 05:54 AM
...
I'm still not sure what's better. Let's see:
+ increasing security by only being able to use pma when logged in into ispcp
+ easy for people who only start the pma out of ispcp (if there are no other passwords needed)
- if pma is *only* available via ispcp, then maybe customers install their own pma in their site and won't update it -> really bad.
- If you're developing on a database application you often need only pma access. For me this would leed to the point above... (my own pma)
So, maybe a good solution:
a) make it possible to start pma directly out of ispcp - without any passwords (since you can change the mysql passwords there is no sense in asking them)
b) let the "/tools/pma" open for the developpers or people who are only interested in pma access... (this is better: you care for an actual version of pma - customers don't)
Make more secure -> use SSL
Maybe put some restrictions in it (root onlöy from your own ip, orwhatever...)
My 4 cents... :-)
Joximu
RE: PMA Auto Login / Prevent users not logged in to access PMA - Cube - 09-29-2007 06:02 AM
An autologin to pma and also webmail for logged in user would be nice. For example for users who have more than one mail address it would be easier to check them.
But it still should be possible to use this tools without login to ispcp. If I would have a hoster who makes things so complicated I would install my own pma on my webspace. And this wouldn't increase security!
RE: PMA Auto Login / Prevent users not logged in to access PMA - Zothos - 09-29-2007 06:48 AM
When we decide to implement it, then we need a option somewhere in the admin interface. So the main admin is able to disable this security thing or even enable it
RE: PMA Auto Login / Prevent users not logged in to access PMA - BeNe - 09-29-2007 07:12 PM
I´m with joximu:
Quote:a) make it possible to start pma directly out of ispcp - without any passwords (since you can change the mysql passwords there is no sense in asking them)And this makes also sense for me in a later Version
b) let the "/tools/pma" open for the developpers or people who are only interested in pma access... (this is better: you care for an actual version of pma - customers don't)
Quote:So the main admin is able to disable this security thing or even enable it
I checked my apache log and there are many entries about scans with pma, phpmyadmin, admin/pma and so on.
Greez BeNe
RE: PMA Auto Login / Prevent users not logged in to access PMA - joximu - 09-29-2007 07:43 PM
BeNe Wrote:I checked my apache log and there are many entries about scans with pma, phpmyadmin, admin/pma and so on.
yes - I've them to - but mostly they are scanning for old phpMyAdmin versions. That's why I'd rather have *one pma for all* (always an updated version) than several old versions in the folders of the hosting customers.
Better to have a good control of a risk than a lot of risks without control...
(ok, the pma from ispcp is more powerfull than the one of the customers - but who knows what can be done with an old pma version...)
/Joximu
RE: PMA Auto Login / Prevent users not logged in to access PMA - Breaki - 10-01-2007 12:32 AM
O.k. i am back
Now i will sleep a bit and then i will release the code for autologin, without preventing users who are not logged into ispCP. (But with the ability to turn it on @ /tools/pma/config.inc.php)
Greetz