It looks like Bike is a simple query interface whereas phpMyAdmin is a whole suite of tools akin to the desktop Workbench for mysql (at least, the administrative side).
I couldnt agree more, setting up Bike on every other server gives you the same maintenance headache(perhaps a little simpler) as having a version of phpMyAdmin on each.
I just yesterday wrote a blogpost about tunneling mysql and using a locally hosted phpMyAdmin for those needs. That will give you the benefit of having phpMyAdmin at one place and you'll be motivated to keep that updated and properly configured.
http://text.krona.tm/post/25982176151/using-phpmyadmin-witho...
It's not, if you look at the github page they make no such claims and actually say it's a small tool. whomever made this post is the one saying it's an alternative.
I realize that this is a totally different strategy to solve the mySQL admin thing, but WOW is Sequel Pro great if you're on a Mac: http://www.sequelpro.com/
I used phpMyAdmin for 10 _years_, and switched after using Sequel Pro for 5 minutes.
Sequel pro is such a good bit of software, especially for the price. I fell in love after a couple of days, and even if you're not looking for new mysql software it's worth a look to see how well the UX has been implemented.
The most useful thing about it is you can jump between the various views it offers, across multiple tables, and it maintains the state of each view so well that it's an absolute pleasure to use.
The issue behind phpMyAdmin IMHO neither is the fact that it's written in PHP nor that it looks unsexy. The problem is that it exists.
It's too tempting to leave it running on some server and promptly forget it. Or get it installed without knowing by some third-party CMS.
Even if it had a spotless security track record (it doesn't), this is just too big an attack surface.
MySQL and especially Postgres have really good command line utilities you can use over SSH which will have the additional advantage of you learning DDL syntax for emergencies. And of course GUIs exist too (use SSH port forwarding).
About Bike: I didn't install it, but this looks like a pure frontend to type in queries and get back results. This provides the security problems of phpMyAdmin minus the specialized GUI to save you from learning DDL or server internals.
As such it provides the worst of both worlds. I wouldn't call that "phpMyAdmin for geeks". CLI mysql is phpMyAdmin for geeks.
That of course works too, but then again, I wonder what features of phpMyAdmin warrant the overhead of actually installing it plus the webserver it needs as opposed to just using the mysql command line tool (honest question - I haven't been using MySQL in a long time and on Postgres' side there's nothing that a GUI would allow me to do quicker than what I can do in the CLI psql utility)
There are a ton of things I can do quicker in a GUI when using Postgres. That's simply because I'm not proficient with the Postgres CLI. Of course I can and try to fix that, but that takes time I don't always have.
Easier to scroll through large result sets, especially for tables with many columns. It's quite hard to mentally parse a bunch of entries that don't line up in a console.
To be honest i do run phpMyAdmin, but I run it on a subdomain that has HTTP auth over SSL and the log files are included by fail2ban scans (thus anyone that fails to HTTP auth correctly 3 times gets auto-banned in iptables).
So while I do agree with your points regarding phpMyAdmin, you can have the convenience of running it (and securely) if you really wanted to.
Actually they do. My method prevents attackers from being able to access phpMyAdmin in the first place and thus if an attacker cannot access phpMyAdmin, then they can't exploit any of the vulnerabilities within phpMyAdmin.
Prevention is definitely better than a cure in this instance; preventing the unwanted from accessing phpMyAdmin is better than fixing all the vulnerabilities and hoping that an attacker doesn't discoverer a new exploit.
FWIW, I've got (or have to deal with) several ultra-inexpensive webhosting accounts where I don't get shell access, so command line mysql isn't an available option.
Every one of these kind of accounts I've got, and the ones I'm happy to help friends out with, are all cpanel accounts, so I've pretty much always got phpmyadmin available.
I'm not saying Bike (or phpmyadmin) are a good idea - but I do have a need for something like it to exist.
(Arguably, if this software _didn't_ exist, webhosting companies would maybe give shell more readily to even the lowest of low-end hosting accounts, but that's not the reality I live in right now.)
I often see systematic scans for phpmyadmin installations in my weblogs. phpmyadmin has had a series of security issues.
New software, new bugs.
I am not very confident that the bike developers will have an eye on security, since there are a couple of spelling errors on the site and they brag about how good looking and ajaxy the software is. Wrong focus.
Adminer [http://www.adminer.org/en/] is a pretty sweet db administration tool. It's only one sub-300kB file with no installation or configuration (so if your hosting provider doesnt have any db tool you can upload yours in seconds), supports MySQL, SQLite, PostgreSQL and others, and does much more. I didn't had to use phpMyAdmin even once since I learned about this.
One "killer" feature for me: Adminer automatically links items in columns that have foreign keys set, so you can click on a value and it jumps to that item in linked table.
If you go to their github page it says the following under security: "On current stage I don't care about login functionality. Put Bike into folder with name like 'tASTDKUWYVEjhas' or just use Apache httpauth as workaround."
So basically... they have absolutely nothing built in for security, other than hoping you choose a good folder name. Even if you ignore that, this is an all-around poor attempt to be an alternative, let alone compete.
UPDATE: Looks like the Bike developer is not trying to be an 'alternative' to phpMyAdmin and whomever made this post either used bad info or think it's an alternative themselves. Either way the guy says it's just supposed to be a lightweight and simple tool... not any sort of alternative. With that said, it's not so bad... but still, security needs to be a higher focus if this thing can access/modify your database.
(a slightly more refined version of that search, which I'll leave as an exercise for the reader, has already revealed 3 probably exploitable urls, based on the google snippet - I'm not prepared to click the links to confirm…)
While I can understand the author writing a tool that scratches his own itch, where that itch doesn't include the need for strong access control for the tool - releasing it in a "default unsafe" configuration seems, ummmm, unwise. I'd suggest perhaps publishing the software with a hardcoded 10..1 ip address as the only address it'll respond to, so that you can't just download and run it with the result of a wide-open access to your databases. If someone's savvy enough to safely use the tool, updating that hardcoded ip address to their own will be obvious, and while opening it up to the world will still be _possible_, at least it'll require some intentional effort.
i didn't even think of that (the google search). i fear for all the novice developers that use this and do nothing more than just install it and leave it wide open.
The two simple ways of addressing this are to use some sort of folder level authentication (e.g. htaccess and htpasswd or equivalent) and to make sure it's not referenced in sitemaps or robots.txt, nor linked to from elsewhere on the net.
Those are nice suggestions and all but I already see one way to abuse this script since it's in the public html folder and pretty much wide open to attack if you can gain access to it.
Let's say i see your site has timthumb and it hasn't been updated to the new, more secure, version. Perfect! I'll just use your timthumb to grab your htaccess file and see what folders your hiding. Alright so (theoretically) it looks like you're hiding it under /rj988fh4990j0jgggggf4f thinking I would never know! Clever name, but unfortunately that wasn't enough to stop me from finding it.
Next step, since timbthumb can write stuff to a cache folder, thanks to it's wonderful permissions and being able to run things using apache (which has access to your protecte folder)... I'll just copy and/or move your "secret" and "protected" bike folder into the cache folder using a quick php script i plugged into timthumb. Yay! Since Bike can be run pretty much anywhere you put it and just needs to be publically available to use it, now i'm in the clear and i can now access it at /cache/bike.
Who needs a shell script when you have timthumb and bike! Let's get SQLing!
Granted, this is not going to work for every site using bike since 1) not everybody uses timthumb and 2) a lot of people have updated it and/or have better security than this... but from my experience as a dev a lot of people who use timthumb have no effing clue what theyre doing and are vulernable to these kind of attacks. they know just enough to be dangerous. this app i feel would attract the same crowd who implement scripts like timthumb
Personally I dont think this should even exist in the public html folder. it puts you at more risk than it's use justifies.
Just to note, as I'm sure this will cross some people's minds... yes, i could gain access to somebodies database config file for say wordpress or joomla just as easy using timbthumb but those typicall dont have a built in interface that lets me run and store queries as i please =P
This app needs more security.
Update: i just realized i could probably edit the htaccess file if it was writable by apache, using timthumb, in order to disable the protection of the bike folder which would just make accessing it even easier. This just furthers my point that this app needs more security. Depending on 1 simple thing like protecting a folder using your htaccess file is like logging into an account with JUST a password (and no username, no handshake, no api key, no tokens, no nothing).
I tried to reply a few times last night but was having problems.
You're absolutely right about timbthumb. I was referring to bike in isolation, which of course it never will be. Having said that, the same applies to phpmyadmin and other apps that you might have. Indeed, timbthumb is a common way of breaking into weak wordpress themes and plugins.
Just to be clear I wasn't suggesting using a random folder name. I've never been one for security by obscurity, but by keeping anything you don't want near the Internet restricted from the great unwashed (and by following an appropriate application security strategy) then you have a better chance than just putting this under /bike and open to the world.
dumb title - if it was phpMyAdmin for geeks I would say it should have more features, not less.
Looks nice - but as most of you said, there are far better options for handling this. If you are using MySQL and like some "nice tool", the MySQL workbench supports tunneling directly.
46 comments
[ 4.1 ms ] story [ 27.2 ms ] threadI just yesterday wrote a blogpost about tunneling mysql and using a locally hosted phpMyAdmin for those needs. That will give you the benefit of having phpMyAdmin at one place and you'll be motivated to keep that updated and properly configured. http://text.krona.tm/post/25982176151/using-phpmyadmin-witho...
I used phpMyAdmin for 10 _years_, and switched after using Sequel Pro for 5 minutes.
It's too tempting to leave it running on some server and promptly forget it. Or get it installed without knowing by some third-party CMS.
Even if it had a spotless security track record (it doesn't), this is just too big an attack surface.
MySQL and especially Postgres have really good command line utilities you can use over SSH which will have the additional advantage of you learning DDL syntax for emergencies. And of course GUIs exist too (use SSH port forwarding).
About Bike: I didn't install it, but this looks like a pure frontend to type in queries and get back results. This provides the security problems of phpMyAdmin minus the specialized GUI to save you from learning DDL or server internals.
As such it provides the worst of both worlds. I wouldn't call that "phpMyAdmin for geeks". CLI mysql is phpMyAdmin for geeks.
That's how I run my phpAdmin. No server security issues.
I either command line in over SSH or open up a tunnel and use SQLYog.
So while I do agree with your points regarding phpMyAdmin, you can have the convenience of running it (and securely) if you really wanted to.
Prevention is definitely better than a cure in this instance; preventing the unwanted from accessing phpMyAdmin is better than fixing all the vulnerabilities and hoping that an attacker doesn't discoverer a new exploit.
Every one of these kind of accounts I've got, and the ones I'm happy to help friends out with, are all cpanel accounts, so I've pretty much always got phpmyadmin available.
I'm not saying Bike (or phpmyadmin) are a good idea - but I do have a need for something like it to exist.
(Arguably, if this software _didn't_ exist, webhosting companies would maybe give shell more readily to even the lowest of low-end hosting accounts, but that's not the reality I live in right now.)
New software, new bugs.
I am not very confident that the bike developers will have an eye on security, since there are a couple of spelling errors on the site and they brag about how good looking and ajaxy the software is. Wrong focus.
One "killer" feature for me: Adminer automatically links items in columns that have foreign keys set, so you can click on a value and it jumps to that item in linked table.
So basically... they have absolutely nothing built in for security, other than hoping you choose a good folder name. Even if you ignore that, this is an all-around poor attempt to be an alternative, let alone compete.
UPDATE: Looks like the Bike developer is not trying to be an 'alternative' to phpMyAdmin and whomever made this post either used bad info or think it's an alternative themselves. Either way the guy says it's just supposed to be a lightweight and simple tool... not any sort of alternative. With that said, it's not so bad... but still, security needs to be a higher focus if this thing can access/modify your database.
So I wonder how long before this becomes a trending search query?
https://www.google.com.au/search?q=inurl%3A%2Fbike+%22Run+Qu...
(a slightly more refined version of that search, which I'll leave as an exercise for the reader, has already revealed 3 probably exploitable urls, based on the google snippet - I'm not prepared to click the links to confirm…)
While I can understand the author writing a tool that scratches his own itch, where that itch doesn't include the need for strong access control for the tool - releasing it in a "default unsafe" configuration seems, ummmm, unwise. I'd suggest perhaps publishing the software with a hardcoded 10..1 ip address as the only address it'll respond to, so that you can't just download and run it with the result of a wide-open access to your databases. If someone's savvy enough to safely use the tool, updating that hardcoded ip address to their own will be obvious, and while opening it up to the world will still be _possible_, at least it'll require some intentional effort.
Let's say i see your site has timthumb and it hasn't been updated to the new, more secure, version. Perfect! I'll just use your timthumb to grab your htaccess file and see what folders your hiding. Alright so (theoretically) it looks like you're hiding it under /rj988fh4990j0jgggggf4f thinking I would never know! Clever name, but unfortunately that wasn't enough to stop me from finding it.
Next step, since timbthumb can write stuff to a cache folder, thanks to it's wonderful permissions and being able to run things using apache (which has access to your protecte folder)... I'll just copy and/or move your "secret" and "protected" bike folder into the cache folder using a quick php script i plugged into timthumb. Yay! Since Bike can be run pretty much anywhere you put it and just needs to be publically available to use it, now i'm in the clear and i can now access it at /cache/bike.
Who needs a shell script when you have timthumb and bike! Let's get SQLing!
Granted, this is not going to work for every site using bike since 1) not everybody uses timthumb and 2) a lot of people have updated it and/or have better security than this... but from my experience as a dev a lot of people who use timthumb have no effing clue what theyre doing and are vulernable to these kind of attacks. they know just enough to be dangerous. this app i feel would attract the same crowd who implement scripts like timthumb
Personally I dont think this should even exist in the public html folder. it puts you at more risk than it's use justifies.
Just to note, as I'm sure this will cross some people's minds... yes, i could gain access to somebodies database config file for say wordpress or joomla just as easy using timbthumb but those typicall dont have a built in interface that lets me run and store queries as i please =P
This app needs more security.
Update: i just realized i could probably edit the htaccess file if it was writable by apache, using timthumb, in order to disable the protection of the bike folder which would just make accessing it even easier. This just furthers my point that this app needs more security. Depending on 1 simple thing like protecting a folder using your htaccess file is like logging into an account with JUST a password (and no username, no handshake, no api key, no tokens, no nothing).
You're absolutely right about timbthumb. I was referring to bike in isolation, which of course it never will be. Having said that, the same applies to phpmyadmin and other apps that you might have. Indeed, timbthumb is a common way of breaking into weak wordpress themes and plugins.
Just to be clear I wasn't suggesting using a random folder name. I've never been one for security by obscurity, but by keeping anything you don't want near the Internet restricted from the great unwashed (and by following an appropriate application security strategy) then you have a better chance than just putting this under /bike and open to the world.
Looks nice - but as most of you said, there are far better options for handling this. If you are using MySQL and like some "nice tool", the MySQL workbench supports tunneling directly.
Please no.
we need navicat for the web.