Page 1 of 1

Add adminer to the toolset?

Posted: 22 May 2016 09:29
by ovizii
Just an idea as I had need of checking the mysql DBs and tables to check if some on my filters were actually logging anything. https://www.adminer.org/

Re: Add adminer to the toolset?

Posted: 29 Sep 2016 05:26
by pdwalker
I would actually recommend against it. phpmyadmin/adminer actually presents a large security hole if it ever becomes accessible to the outside world.

Instead, I prefer to make a tunnelled ssh connection for mysql to the database and then use a tool like mysqlworkbench to check my database. This is much more secure and provides better tools for accessing your database.

Does anyone need a tutorial on how to create a tunnelled connection to do this?

Re: Add adminer to the toolset?

Posted: 29 Sep 2016 06:26
by ovizii
I know and agree that the more tools, the more possible security breaches but the point is you still need to enter the DB name and password to access it so this is only dangerous if there is a security flaw being discovered. (Bt.w don't lump these two together: phpmyadmin/adminer) https://www.adminer.org/en/phpmyadmin/

well, anyway, just my 2c :-)

Re: Add adminer to the toolset?

Posted: 29 Sep 2016 12:30
by pdwalker
Even without saved php credentials, having that kind of tool accessible via the web interface leaves you subject to the bugs in the software, which could give access to the server is a bug is found. Once access is had, the rest opens up really quickly

If you've ever had the chance to watch a good cracker at work, it's scary how fast they can penetrate a system just by taking advantage of common programming errors. I know of one gentleman who did it as a hobby. His average time penetrating php web applications was about half an hour to get access to the website hosting the application.

edit: additional thoughts

Assuming that someone got access to the webserver using the webserver credentials, then the whole system is completely exposed and ready to be compromized completely. The webserver user has read access to the efa configuration file which contains, among other things, the mysql root password, and the su password for the efa administration account.

So yeah, I'd really be dead set against adding additional web tools directly on an efa box.