Solved

Does PHPMyAdmin pose a security risk?

Posted on 2016-10-02
2
93 Views
Last Modified: 2016-10-06
If it does, how do you mitigate it, and what advantages would running it provide to cause you to want to set it up securely?
0
Comment
Question by:burnedfaceless
2 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 41825859
There have been vulnerabilities found in some versions of phpMyAdmin and some web hosts refuse to install it.  Others make it available but only thru their control panel so it can't be logged into directly.  That makes it so people can't just keep trying usernames and passwords to break in.  Like any other PHP application, you have to be careful about allowing access.  On several sites that I support, it is also limited by Apache directory security or 'basic auth' so you basically have to log in twice.

phpMyAdmin is very convenient for database maintenance including uploading new versions of the tables.  Also downloading copies for backups.  Many people keep their 'real' database on their own systems and only upload data that is needed for web site operation to their online databases.
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 41825861
It need not be a risk if it is secured properly as part of the architecting and hardening regime. It need not be an unnecessary service if it does serves a purpose for secure use and not a default one time setup and forget admin portal.

Secure its access with ssl or ssh to the server box and authorisation (including htaccess and phpmyadmin.conf) to group of admin only. Employ 2fa for admin access will strengthen the identity checks against abusing reuse or exploiting password theft or leaks.

Do restrict remote admin access where possible to reduce exposure unless it is via a secure means like VPN.

Enable the audit trail of activities and have it monitor via sending the Web log on thw administration to central oversight revieing the logs.

Best to have regular security scan check on the portal and website to sieve out early sign of vulnerability. Check out OWASP tool such as OWASP Zed Attack Proxy (ZAP)

https://www.phpmyadmin.net/security/
https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Foreword In the years since this article was written, numerous hacking attacks have targeted password-protected web sites.  The storage of client passwords has become a subject of much discussion, some of it useful and some of it misguided.  Of cou…
Foreword (July, 2015) Since I first wrote this article, years ago, a great many more people have begun using the internet.  They are coming online from every part of the globe, learning, reading, shopping and spending money at an ever-increasing ra…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now