We found out today that sql.php can access all dbs from db4 thus a security risk.
We need to lock it down so it can only access wiki dbs
We found out today that sql.php can access all dbs from db4 thus a security risk.
We need to lock it down so it can only access wiki dbs
Dropping of course does not work, but accessing any db that is not meant for mw-admins (such as phabricator_*, icinga, etc.) can be done via the SQL.php prompt
We have changed it to root only for now, but mw-admins should still be able to use sql.php so we should find another solution.
Okay, can access - but can't use.
This is an overreaction and not a security issue. I'd like people to verify however first.