Solved

Does PHPMyAdmin pose a security risk?

Posted on 2016-10-02
2
211 Views
Last Modified: 2016-10-06
If it does, how do you mitigate it, and what advantages would running it provide to cause you to want to set it up securely?
0
Comment
Question by:burnedfaceless
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 41825859
There have been vulnerabilities found in some versions of phpMyAdmin and some web hosts refuse to install it.  Others make it available but only thru their control panel so it can't be logged into directly.  That makes it so people can't just keep trying usernames and passwords to break in.  Like any other PHP application, you have to be careful about allowing access.  On several sites that I support, it is also limited by Apache directory security or 'basic auth' so you basically have to log in twice.

phpMyAdmin is very convenient for database maintenance including uploading new versions of the tables.  Also downloading copies for backups.  Many people keep their 'real' database on their own systems and only upload data that is needed for web site operation to their online databases.
0
 
LVL 64

Assisted Solution

by:btan
btan earned 250 total points
ID: 41825861
It need not be a risk if it is secured properly as part of the architecting and hardening regime. It need not be an unnecessary service if it does serves a purpose for secure use and not a default one time setup and forget admin portal.

Secure its access with ssl or ssh to the server box and authorisation (including htaccess and phpmyadmin.conf) to group of admin only. Employ 2fa for admin access will strengthen the identity checks against abusing reuse or exploiting password theft or leaks.

Do restrict remote admin access where possible to reduce exposure unless it is via a secure means like VPN.

Enable the audit trail of activities and have it monitor via sending the Web log on thw administration to central oversight revieing the logs.

Best to have regular security scan check on the portal and website to sieve out early sign of vulnerability. Check out OWASP tool such as OWASP Zed Attack Proxy (ZAP)

https://www.phpmyadmin.net/security/
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Containers like Docker and Rocket are getting more popular every day. In my conversations with customers, they consistently ask what containers are and how they can use them in their environment. If you’re as curious as most people, read on. . .
This post looks at MongoDB and MySQL, and covers high-level MongoDB strengths, weaknesses, features, and uses from the perspective of an SQL user.
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question