Communication with php pogram
Thursday July 24th 2014

Michal Čihař: Secure your phpMyAdmin





phpMyAdmin is quite popular software (to give some numbers let’s mention 10000 downloads daily on SourceForge.net or 122685 reports in Debian’s popcon) and as such is quite attractive target for various scripted attacks. If you run phpMyAdmin installation somewhere you should really make sure it is enough secured, so that these script kiddies don’t get through.

In past month I’ve looked at what kind of attacks are these guys trying and in all cases these are pretty old vulnerabilities, some of them fixed years ago. So the first thing you should do is to update. It is always good to run latest stable version, but in case you can not for whatever reason, try at least taking the most important fixes and using them.

In ideal world your distribution would do this job for you, but in case it did not, you can for example take patches from Debian, which is pretty good at taking our patches (surprisingly it is not much related to my involvement there). To check which patches they have applied you can use excellent patch-tracker tool, which exposes patches from all released packages.

To give you overview of which issues are mostly being attempted to exploit by script kiddies right now, here is the list:

  • PMASA-2010-3 – yes, more than two years old, but still unpatched in some places
  • PMASA-2011-5 – “only” half year old
  • PMASA-2011-6 – only useful together with wrongly configured PHP

If you have fixed these, you should be pretty safe for now, but follow our security announcements for possible future issues (you can use RSS feed or subscribe to news mailing list, where all security issues are announced as well).

However there are more things you can do to keep you safer:

  • remove setup directory from phpMyAdmin, you will probably not use it after initial setup
  • prevent access to libraries directory from browser, as it is not needed, supplied .htaccess file does this
  • properly choose authentication method – cookie is probably the best choice for shared hosting
  • in case you don’t want all MySQL users to be able to access phpMyAdmin, you can use AllowDeny rules to limit them
  • consider hiding phpMyAdmin behind authentication proxy, so that MySQL credenticals are not all users need to login

So these are the basic steps which will help you against possible compromise, I might return to some of these in more details in future posts.

Filed under:

Debian

English

Phpmyadmin

Suse

|

0 comments
|
Flattr this!

View full post on Planet phpMyAdmin

  • Share/Bookmark
Related Tags: , , ,

Leave a Comment

More from category

Edward Cheng: [CONSOLE]WEEK 9 STATUS REPORTS

internet advertising Key accomplishments last week Bug fix: XHR JSON data transfer don’t contain query string [Read More]

Bimal Yashodha: GSoC 2014 week 8 and 9

internet advertising Over the last two weeks I have done several things (I couldn’t put my last week’s post [Read More]

Ashutosh Dhundhara: GSoC 2014: Week 9

internet advertising Ninth week of my GSoC 2014 project is over. Key Accomplishments last week : RFE #908 (to be [Read More]

Smita Kumari: GSoC’14 week 10: List of tasks to accomplish

internet advertising 10th week of my GSoC project has started today, only 3 weeks left to finish the project now and I [Read More]

Chirayu Chiripal: GSoC 2014 Week #10: User privilege tab not shown in all relevant cases (Contd.)

internet advertising Week #10 Task: RFE #1488 User privilege tab not shown in all relevant cases Scheduled Deadline: [Read More]

Twitter On Me

<p>Error: Twitter did not respond. Please wait a few minutes and refresh this page.</p>

Calendar

July 2014
M T W T F S S
« Jun    
 123456
78910111213
14151617181920
21222324252627
28293031