[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 401
  • Last Modified:

Does PHPMyAdmin pose a security risk?

If it does, how do you mitigate it, and what advantages would running it provide to cause you to want to set it up securely?
0
burnedfaceless
Asked:
burnedfaceless
2 Solutions
 
Dave BaldwinFixer of ProblemsCommented:
There have been vulnerabilities found in some versions of phpMyAdmin and some web hosts refuse to install it.  Others make it available but only thru their control panel so it can't be logged into directly.  That makes it so people can't just keep trying usernames and passwords to break in.  Like any other PHP application, you have to be careful about allowing access.  On several sites that I support, it is also limited by Apache directory security or 'basic auth' so you basically have to log in twice.

phpMyAdmin is very convenient for database maintenance including uploading new versions of the tables.  Also downloading copies for backups.  Many people keep their 'real' database on their own systems and only upload data that is needed for web site operation to their online databases.
0
 
btanExec ConsultantCommented:
It need not be a risk if it is secured properly as part of the architecting and hardening regime. It need not be an unnecessary service if it does serves a purpose for secure use and not a default one time setup and forget admin portal.

Secure its access with ssl or ssh to the server box and authorisation (including htaccess and phpmyadmin.conf) to group of admin only. Employ 2fa for admin access will strengthen the identity checks against abusing reuse or exploiting password theft or leaks.

Do restrict remote admin access where possible to reduce exposure unless it is via a secure means like VPN.

Enable the audit trail of activities and have it monitor via sending the Web log on thw administration to central oversight revieing the logs.

Best to have regular security scan check on the portal and website to sieve out early sign of vulnerability. Check out OWASP tool such as OWASP Zed Attack Proxy (ZAP)

https://www.phpmyadmin.net/security/
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now