Security Vulnerability: Firewall Site Exposes Sensitive Data Through phpMyAdmin

By Angsuman Chakraborty, Gaea News Network
Sunday, September 9, 2007

I was looking for the wiki of a popular Linux based firewall site. The main url was 404, so I went up one level hoping to find a new url. Suddenly I had a directory listing with interesting files and a link to phpMyAdmin. Wondering how a firewall site maintains its own security, I clicked on phpMyAdmin, fully expecting a password prompt.

Surprisingly I found phpMyAdmin of the site to be openly accessible to all. It showed several databases including but not limited to bugtracker, wiki, drupal and one that looked like invoice database. I dared not venture further. I immediately sent an email to the only contact email I found in their old documentation. It is really scary.

This is a serious problem. By opening up phpMyAdmin you expose all your data in MySQL database to the world at large. This allows anyone to view and modify your data and your website too. CMS like drupal, blogging software like WordPress or most wiki are MySQL database driven. Allowing anyone to change the database directly allows them to change your website too and view all your confidential information. They can even use your website for phishing expeditions so you will be finally blamed for their phishing activities.

phpMyAdmin is a popular web based MySQL database management tool written in PHP. It allows you to protect the web interface using a password but many, either due to laziness or for convenience, decide to disable the password which can have serious consequence.

How can you protect phpMyAdmin?
1. You must assign a login & password for accessing the directory.

2. You should restrict access to specific IP addresses only which you are likely to use to access the data

3. Change the directory name to something more obscure than the default phpMyAdmin which is created in a standard rpm install. This is called security by obscurity.

September 9, 2007: 10:43 pm

that was scary , u did the correct thing by letting the guys know about it !

will not be displayed