undefined | Better HN

0 pointsTonyTrapp1y ago0 comments

Then you should also be worried about bugs that let you log into an SSH session without providing your SSH certificate, passkey or whatever. Authentication bypass can happen with pretty much any buggy authentication method. None of this is inherently a problem of passwords or basic auth.

0 comments

ceejayoz1y ago

Sure, but phpMyAdmin has a long history of major security holes. It's existence on a server tends to be a red flag.

TonyTrappOP1y ago

Again, the premise was that phpMyAdmin is secured behind basic auth. It doesn't matter how secure or insecure phpMyAdmin is, it only matters how secure whatever webserver is that it is served through. phpMyAdmin code isn't even touched before the basic auth login was successful. Only after that, it becomes relevant, in that you either find a hole in phpMyAdmin itself, or you have to break another (hopefully strong) password for the MySQL login itself.

ceejayoz1y ago

It's not using the webserver's basic auth, it's using their own implementation (https://github.com/phpmyadmin/phpmyadmin/blob/297c1e174b93a9..., via PHP's: https://www.php.net/manual/en/features.http-auth.php).

1 more reply

j / k navigate · click thread line to collapse

0 comments

ceejayoz1y ago

Sure, but phpMyAdmin has a long history of major security holes. It's existence on a server tends to be a red flag.

TonyTrappOP1y ago

ceejayoz1y ago

1 more reply

j / k navigate · click thread line to collapse