severity 446862 wishlist tags -security On Tue, October 16, 2007 12:06, Stephen Gran wrote: > Really? As you yourself noted, the default install doesn't give fewer > privileges to [EMAIL PROTECTED] over [EMAIL PROTECTED] I don't see a > privilege > escalation for the normal install here, so I don't see how this is a > security problem or a grave bug. > > I agree it's a useful patch to allow admins to decrease the privilege of > [EMAIL PROTECTED] if they prefer. I am not involved in phpmyadmin > maintenance, so I won't do any bug triage beyond this comment, but I > suggest downgrading to wishlist, retitiling "I would like to be able to > discover if this is a remote connection", and removing the security tag.
I agree with Stephen here. This is expected behaviour of phpmyadmin and anyone installing it knowingly opens up local access to their database from Apache, as that is exactly the point of the package. phpMyAdmin warns you clearly if you have no root password set for MySQL to help avoid the most blatant holes. That MySQL does not set a root password on initial install is a debatable issue but it seems to be a design decision by MySQL. I'll investigate the patch later to see whether we can do something useful with it, thanks. But it's not a security issue so I'm marking the bug appropriately. Thijs
