Unfortunately, it's not, in a way. I found that if a user has PHPMyAdmin installed in his/her directory, there's a config file with the username and password to be able to access the database. Any user on the same machine can read that config file using perl and gain access to another user's database. So PHPMyAdmin may be easy to use, it's also easy to ABUSE. I've been able to access other people's databases, with ease, not being the siteadmin for that virtual site. All I needed was one simple perl script and an account on the same machine. My advice is to always keep the config file offline except for those moments when you actually need it. I don't know if this sounds stupid to any of you, I've just started working with Cobalt appliances myself, after having my sites hosted on Raq3 and Raq4's for 18 months. So I'm sure there are better ways to protect a users database from others on the same machine. Anyway, the method I described here also counts for ALL other files on the server. I can view password files (whether readable or not, that's besides the point), I can retrieve a list of all the sites on the server, I can also access directories normally protected by passwords. (When accessed by a web browser.) I don't know, maybe it's a bug, but it seems like I have at least read access to all areas as long as perl can reach them. Of course looking at the example I mentioned above, I need to have a copy of PHPMyAdmin installed in my directory and a copy of the other user's config, but it's possible. I've not tried anything beyond this point, but who knows what's possible??? I could read other people's mail, possibly guess their siteadmin password based on their username, using the name of their mail directory as a starting point... Could it be group permissions? Would a user be able to access my files, because that file has group read permission? Who would like to comment on this? QX Hosting 21-09-2001 20:21 Cobalt mailing List, [EMAIL PROTECTED] wrote: > Taco has just added a great piece of software to our Raq4, PHP MYADMIN. > This is a very simple GUI tool to add, edit and generally keep track of > MYSQL daqtabases. > > I have not used MYSQL much but this looks like a very easy to manage > system. Anything which makes my life easier has to be a good thing! > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
