Current time: 11-16-2024, 07:40 AM Hello There, Guest! (LoginRegister)


Post Reply 
PMA Auto Login / Prevent users not logged in to access PMA
Author Message
Breaki Offline
Junior Member
*

Posts: 109
Joined: Sep 2007
Reputation: 5
Post: #1
PMA Auto Login / Prevent users not logged in to access PMA
This post replys to #154 and #358.

The code for auto login is ready, but whats about #154 (phpMyAdmin should be in restricted are) ? At the moment my script prevents all access to the ispCP PMA if the users is not logged into ispCP (redirected to login page), but with a little change it would be possible to allow it to all again. I think this would increase the security against scanners who try /tools/pma/ .

What do you think about it?

(I don't think that i can release the code today, because i am the whole weekend away Sad )
09-28-2007 09:35 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Zothos Offline
Release Manager
*****
Dev Team

Posts: 1,262
Joined: Feb 2007
Reputation: 10
Post: #2
RE: PMA Auto Login / Prevent users not logged in to access PMA
I personaly disagree with that. Im working very often just at the pma. And if i have to login first, and then login into pma. Wouldnt be a sullution i prefere Tongue
09-28-2007 11:47 PM
Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #3
RE: PMA Auto Login / Prevent users not logged in to access PMA
Zothos Wrote:I personaly disagree with that. Im working very often just at the pma. And if i have to login first, and then login into pma. Wouldnt be a sullution i prefere Tongue

I agree with Zothos - on the other side:
you can install another pma with another security (ssl :-) and use this one.
For the customers you can use the way Breaki is describing...

Well - maybe there are some developpers who doesn't like the "via ispcp" way. Maybe they install their own pma on the site - and this is worse... isn't it?

/Joximu
09-29-2007 05:15 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Zothos Offline
Release Manager
*****
Dev Team

Posts: 1,262
Joined: Feb 2007
Reputation: 10
Post: #4
RE: PMA Auto Login / Prevent users not logged in to access PMA
hm, you are right joximu.

In my use case this would be not a good solution. But when looking at the normal use case. It would incease the security. Maybe its worth getting this into core.
And its done this way on other control panels, too. I have seen it on the 1und1 ( A German hosting provider ) control panel, just as a example.
09-29-2007 05:32 AM
Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #5
RE: PMA Auto Login / Prevent users not logged in to access PMA
...
I'm still not sure what's better. Let's see:

+ increasing security by only being able to use pma when logged in into ispcp
+ easy for people who only start the pma out of ispcp (if there are no other passwords needed)

- if pma is *only* available via ispcp, then maybe customers install their own pma in their site and won't update it -> really bad.
- If you're developing on a database application you often need only pma access. For me this would leed to the point above... (my own pma)

So, maybe a good solution:
a) make it possible to start pma directly out of ispcp - without any passwords (since you can change the mysql passwords there is no sense in asking them)
b) let the "/tools/pma" open for the developpers or people who are only interested in pma access... (this is better: you care for an actual version of pma - customers don't)

Make more secure -> use SSL
Maybe put some restrictions in it (root onlöy from your own ip, orwhatever...)

My 4 cents... :-)
Joximu
09-29-2007 05:54 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Cube Offline
Member
***

Posts: 740
Joined: Apr 2007
Reputation: 9
Post: #6
RE: PMA Auto Login / Prevent users not logged in to access PMA
An autologin to pma and also webmail for logged in user would be nice. For example for users who have more than one mail address it would be easier to check them.
But it still should be possible to use this tools without login to ispcp. If I would have a hoster who makes things so complicated I would install my own pma on my webspace. And this wouldn't increase security!
09-29-2007 06:02 AM
Find all posts by this user Quote this message in a reply
Zothos Offline
Release Manager
*****
Dev Team

Posts: 1,262
Joined: Feb 2007
Reputation: 10
Post: #7
RE: PMA Auto Login / Prevent users not logged in to access PMA
When we decide to implement it, then we need a option somewhere in the admin interface. So the main admin is able to disable this security thing or even enable it Tongue
09-29-2007 06:48 AM
Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #8
RE: PMA Auto Login / Prevent users not logged in to access PMA
I´m with joximu:
Quote:a) make it possible to start pma directly out of ispcp - without any passwords (since you can change the mysql passwords there is no sense in asking them)
b) let the "/tools/pma" open for the developpers or people who are only interested in pma access... (this is better: you care for an actual version of pma - customers don't)
And this makes also sense for me in a later Version
Quote:So the main admin is able to disable this security thing or even enable it

I checked my apache log and there are many entries about scans with pma, phpmyadmin, admin/pma and so on.

Greez BeNe
09-29-2007 07:12 PM
Visit this user's website Find all posts by this user Quote this message in a reply
joximu Offline
helper
*****
Moderators

Posts: 7,024
Joined: Jan 2007
Reputation: 92
Post: #9
RE: PMA Auto Login / Prevent users not logged in to access PMA
BeNe Wrote:I checked my apache log and there are many entries about scans with pma, phpmyadmin, admin/pma and so on.

yes - I've them to - but mostly they are scanning for old phpMyAdmin versions. That's why I'd rather have *one pma for all* (always an updated version) than several old versions in the folders of the hosting customers.

Better to have a good control of a risk than a lot of risks without control...
(ok, the pma from ispcp is more powerfull than the one of the customers - but who knows what can be done with an old pma version...)

/Joximu
09-29-2007 07:43 PM
Visit this user's website Find all posts by this user Quote this message in a reply
Breaki Offline
Junior Member
*

Posts: 109
Joined: Sep 2007
Reputation: 5
Post: #10
RE: PMA Auto Login / Prevent users not logged in to access PMA
O.k. i am back Wink

Now i will sleep a bit and then i will release the code for autologin, without preventing users who are not logged into ispCP. (But with the ability to turn it on @ /tools/pma/config.inc.php)

Greetz
10-01-2007 12:32 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 2 Guest(s)