Solved

Does PHPMyAdmin pose a security risk?

Posted on 2016-10-02
2
164 Views
Last Modified: 2016-10-06
If it does, how do you mitigate it, and what advantages would running it provide to cause you to want to set it up securely?
0
Comment
Question by:burnedfaceless
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 41825859
There have been vulnerabilities found in some versions of phpMyAdmin and some web hosts refuse to install it.  Others make it available but only thru their control panel so it can't be logged into directly.  That makes it so people can't just keep trying usernames and passwords to break in.  Like any other PHP application, you have to be careful about allowing access.  On several sites that I support, it is also limited by Apache directory security or 'basic auth' so you basically have to log in twice.

phpMyAdmin is very convenient for database maintenance including uploading new versions of the tables.  Also downloading copies for backups.  Many people keep their 'real' database on their own systems and only upload data that is needed for web site operation to their online databases.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 41825861
It need not be a risk if it is secured properly as part of the architecting and hardening regime. It need not be an unnecessary service if it does serves a purpose for secure use and not a default one time setup and forget admin portal.

Secure its access with ssl or ssh to the server box and authorisation (including htaccess and phpmyadmin.conf) to group of admin only. Employ 2fa for admin access will strengthen the identity checks against abusing reuse or exploiting password theft or leaks.

Do restrict remote admin access where possible to reduce exposure unless it is via a secure means like VPN.

Enable the audit trail of activities and have it monitor via sending the Web log on thw administration to central oversight revieing the logs.

Best to have regular security scan check on the portal and website to sieve out early sign of vulnerability. Check out OWASP tool such as OWASP Zed Attack Proxy (ZAP)

https://www.phpmyadmin.net/security/
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question