[Koha-devel] Security with MySQL and PHP
Paul POULAIN
paul.poulain at free.fr
Fri Mar 2 15:54:00 CET 2007
Pascale Nalon a écrit :
> Hello,
>
> As RespInfo for my library branch, I often receive mails for security
> warning (like this : http://www.php-security.org/index.html) on MySQL DB
> and PHP.
> What's your mind about these problems ?
> What're the risks with Koha ?
Hi Pascale,
1st of all, Koha is written in Perl, so PHP bugs don't concern us ;-)
2nd : mySQL problem could concern us, but only if mySQL was open to the
rest of the world. Koha is a complete software, and the user don't have
any direct access to the database. Only Koha features can be accessed.
Thus, I think our only goal is to have a secured Koha (= ie : no way to
do things without the requested privilege)
A sample of an insecure Koha is given in my feb, 9th mail on this list.
We also have to split the risks in 3 kinds :
- security holes needing a librarian login
- security hole needing a login
- security hole needing no login at all.
someone will complete if i'm missing something, i'm not a security guru...
--
Paul POULAIN et Henri Damien LAURENT
Consultants indépendants
en logiciels libres et bibliothéconomie (http://www.koha-fr.org)
Tel : 04 91 31 45 19
More information about the Koha-devel
mailing list