top | item 31556631

(no title)

drej | 3 years ago

It's wonderful tool and has simplified workflows for many, just be mindful of its one giant security implication. Should your database credentials ever leak in any way (lost/stolen property, incorrect git commit, screencasting mishap, ...), having an Adminer/phpMyAdmin instance running on an otherwise unrestricted address, you're opening up (quite literally) your server to a world of trouble.

(I speak from experience. I've seen a lot of credentials leak together with source code. This meant I saw "secret" paths where Adminer was hosted on a given site. Having database credentials meant I didn't have to somehow circumvent network security to get to the database itself. [Yes, I disclosed all of this to the server operator and even got a measly $50 gift card out of it :-)])

discuss

nadinengland|3 years ago

Yeah, at previous jobs there has been a db.devopsdomain.com (etc) which acted like a bastion into the network from which you could connect with DB credentials to the actual databases.

It's convenient I will say that. I've tried not to replicate this exactly and instead have adminer running on a server on the network but only listening to localhost connections. To get access to it you can then SSH tunnel the ports locally:

> # Route 8082 on your machine to localhost:8080 on the server: > ssh -N -L 8082:localhost:8080 db.devopsdomain.com

linedash|3 years ago

I've found the biggest issue with this is that people forget they've deployed it. It just gets left there until it's sufficiently out of date that a security issue pops up.

https://www.cvedetails.com/vulnerability-list/vendor_id-1775...