Solved

Does PHPMyAdmin pose a security risk?

Posted on 2016-10-02
2
63 Views
Last Modified: 2016-10-06
If it does, how do you mitigate it, and what advantages would running it provide to cause you to want to set it up securely?
0
Comment
Question by:burnedfaceless
2 Comments
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 41825859
There have been vulnerabilities found in some versions of phpMyAdmin and some web hosts refuse to install it.  Others make it available but only thru their control panel so it can't be logged into directly.  That makes it so people can't just keep trying usernames and passwords to break in.  Like any other PHP application, you have to be careful about allowing access.  On several sites that I support, it is also limited by Apache directory security or 'basic auth' so you basically have to log in twice.

phpMyAdmin is very convenient for database maintenance including uploading new versions of the tables.  Also downloading copies for backups.  Many people keep their 'real' database on their own systems and only upload data that is needed for web site operation to their online databases.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 250 total points
ID: 41825861
It need not be a risk if it is secured properly as part of the architecting and hardening regime. It need not be an unnecessary service if it does serves a purpose for secure use and not a default one time setup and forget admin portal.

Secure its access with ssl or ssh to the server box and authorisation (including htaccess and phpmyadmin.conf) to group of admin only. Employ 2fa for admin access will strengthen the identity checks against abusing reuse or exploiting password theft or leaks.

Do restrict remote admin access where possible to reduce exposure unless it is via a secure means like VPN.

Enable the audit trail of activities and have it monitor via sending the Web log on thw administration to central oversight revieing the logs.

Best to have regular security scan check on the portal and website to sieve out early sign of vulnerability. Check out OWASP tool such as OWASP Zed Attack Proxy (ZAP)

https://www.phpmyadmin.net/security/
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now