Last week again a security update for the TYPO3 extension „phpMyAdmin“ hit the public. This is one of the extensions, which are mostly updated due to security reasons. There are several secure alternatives, which I will show you in this article.
First of all, I want to thank the author, Andreas Beutel, of the TYPO3 extension „phpMyAdmin“ for his continuos work on this extension, in order to keep it save. It is (probably) a really annoying job to keep the extension up to date. In most (all?) cases it is not a problem of the the TYPO3 extension itself, but of the included third party software „phpMyAdmin“. Thanks again for your work, Andreas!
As I already wrote, the trigger for this blog post was the last security bulletin for the TYPO3 extension „phpMyAdmin“. The following arguments are not limited to EXT:phpMyAdmin, but are basically also valid for other extensions offering (nearly) the same functionality like „t3adminer“.
Reasons not to use it
Complete DB access for TYPO3 administrators
One of the most reasons to install such a TYPO3 extension is, that you just want to check, whether some database entries are correct. So far, so good. But these extensions enable all TYPO3 admins to manipulate each and every database entry. With these permissions they can f*ck up your installation easily.
Additionally they have access to private data, may it be encrypted or not. This makes it much easier to compromise the data. The third reason is, that the permission to access the database is not limited to one or more dedicated TYPO3 users, but for all TYPO3 BE users with administration permission. Probably not all of them have the same expertise and the same carefulness with the data.
Many security updates
Many security updates are basically not bad. This is a good thing, because it is a sign for a very active security team of the software. In case of a TYPO3 extension providing third party code, like phpMyAdmin, there is not only the provider of the third party involved, but also the TYPO3 extension author and the TYPO3 security team. Each of the three parties need their time to respond to the issue. This depends massively on their workload and motivation. My conclusion is that is better the less parties are envolved. The time for providing a fix is much less.
Temporary usage
One of the most arguments is „Hmmm … I’m just using it temporarily“. Yes, this is a very valid answer and a valuable reason. But be honest to yourself: How often did you forget to remove it afterwards? If you do not have a solution like „caretaker“ on this instance … you will forget it forever, won’t you? IMHO the risk to have such a time bomb (at least) in one the installations is far too high.
Alternatives
All mentioned alternatives have one advantage in common: Persons, having direct access to the database, can be selected further … not all TYPO3 admins get plain direct access to the database with all privileges.
Own phpMyAdmin Installation
I think, this is the weakest of all recommendations in this list. It is up to the administrator to make the DB access via phpMyAdmin safe and secure. The difference between the TYPO3 extension and this solution is, that the pMA admin is solely responsible for the installation and the software. An update for phpMyAdmin is possible without action from the extension owner and the TYPO3 security team.
Providers web-based DB-Tool
Most (all?) hosting providers offer a graphical user interface for database access, mostly based on phpMyAdmin. Hosting providers do have an intrinsic motivation to keep their database tool safe. If they don’t do it, many thousand databases would be available to attackers instantly.
GUI clients
A third possibility for accessing mysql databases are graphical native clients. For every operating systems there are some solutions available. Here is a list of available products. Probably there are more available … you are welcome to add it in the comment section.
Sequel Pro (http://www.sequelpro.com/)
- supports MySQL
- available for MacOS X
- Licensing Model: free (MIT license)
MySQL Workbench (https://dev.mysql.com/downloads/workbench/)
- supports MySQL
- available for serveral OS (MacOS, Linux, MS Windows)
- Licensing Model: free (GPL)
HeidiSQL (http://www.heidisql.com/)
- supports MySQL, MSSQL and PostgreSQL
- available for MS Windows (using Wine also for MacOS and Linux)
- Licensing Model: free (GPL)
Toad for MySQL (http://software.dell.com/products/toad-for-mysql/)
- supports MySQL
- available for MS Windows
- Licensing Model: Freeware
Navicat (http://www.navicat.com/)
- supports several databases (mySQL, mariaDB, Oracle, MSSQL, PostgreSQL, …)
- available for several OS (Windows, MAC, Linux, iOS)
- other DB Tools available (Data-Modeler, …)
- Licensing Model: commercial
dbForge Studio for MySQL (https://www.devart.com/de/dbforge/mysql/studio/)
- supports MySQL and MariaDB
- available for MS Windows
- Licensing Model: free (Express edition), commercial (Standard and Professional editon)
ssh & commandline mysql
Last but not least, it is possible to access the database by using the command line and fire all those nifty commands through the mysql command line client and ssh. If nothing else works, this can be a really big help, but it is not as comfortable as the other solutions.
Conclusion
There are many solutions to access MySQL out “in the wild”. So there is IMHO no need to install and use any TYPO3 extension, which provide database access.