Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What if a hacker would have access to a user of said personal intranet, or would find a way to bypass the password protected page. Then he'd be able to execute anything on the server, even stuff the user he hacked shouldn't be able to access. So no, this is always a vulnerability.


What about phpMyAdmin and others alike webapps? Are they inherently insecure?


Those are different, as they only do what they are meant to do (give access to the databases).

They don't give untintended full access to the web server.

That said, they are a little insecure.


>They don't give unintended full access to the web server.

https://en.wikipedia.org/wiki/Webmin

Maybe not unintended, but definitely full access, and the world is almost certainly full of outdated/non whitelist access/weakly passworded panels.

Also, on a a sufficiently misconfigured server, you could always use \! (mysql's shell_exec, etc.) with phpmyadmin etc. to open a remote shell somewhere, then work from there.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: