Sumeru Cyber Security
  • Sumeru Cyber Security
  • Workarounds for prevalent vulnerabilities
    • Version Disclosure
    • Host Header Attack
    • HttpOnly and Secure Flag
    • Security Headers
    • Clickjacking
    • Weak Password
    • Username Enumeration
    • jQuery Outdated
    • Cross-Origin Resource Sharing
    • AWS S3 Bucket Misconfiguration
    • Directory Listing
    • Laravel Debug Enabled
    • Autocomplete and Remember Password Enabled
    • Brute Force Attack
    • Cross Site Request Forgery
    • SQL Injection
    • PhpMyAdmin page Available Publicly
    • Implementation of BASIC Authentication
    • Cache Browsing
    • Insecure Direct Object Reference
    • Active mixed content over https
    • Improper forgot password implementation
    • ASP.NET Debug Enabled
    • Sensitive Data Sent in GET Request
    • Weak CAPTCHA Implementation
    • Csv Injection
    • Cross Site Scripting
    • Web Server Robot.txt Information Disclosure
    • SSL Related Issues
    • Local File Inclusion
    • Weak CAPTCHA Implementation
    • Automated Form Submission
    • Php.ini File Available Publicly
    • ITLP
    • Internal Path Disclosure
    • Insecure Direct Object Reference
    • Access Token Not Expiring After Logout
  • OWASP A09-Security Logging and Monitoring Failures
  • OWASP API09-Improper Inventory Management v1.0
Powered by GitBook
On this page
  • Introduction
  • Impact
  • How to test
  • How to Fix
  • PHP
  • References

Was this helpful?

  1. Workarounds for prevalent vulnerabilities

PhpMyAdmin page Available Publicly

PreviousSQL InjectionNextImplementation of BASIC Authentication

Last updated 5 years ago

Was this helpful?

Introduction

phpMyAdmin is an application written in the PHP language that provides a web-based interface for the administration of MySQL databases.

Impact

An attacker can access, modify or delete all MySQL databases.

How to test

We have to put the phpMyAdmin after the URL

Above Screenshot is the PHPMYADMIN page of the application

How to Fix

PHP

Solution 1

To prevent public access to the phpMyAdmin directory we have to add this $cfg['Servers'][$i]['AllowRoot'] = FALSE; in phpMyAdminàconfig.inc.php file.

Solution 2

Do not allow access from the outside world!

phpMyAdmin default Apache configuration:

Alias /phpmyadmin /usr/share/phpmyadmin 
<Directory /usr/share/phpmyadmin> 

        Order Deny,Allow 

        Deny from All 

        Allow from 123.123.123.123 


        Options FollowSymLinks 

        DirectoryIndex index.php 

  

        <IfModule mod_php5.c> 

                AddType application/x-httpd-php .php 

  

                php_flag magic_quotes_gpc Off 

                php_flag track_vars On 

                php_flag register_globals Off 

                php_admin_flag allow_url_fopen Off 

                php_value include_path . 

                php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp 

                php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/ 

        </IfModule> 

  

</Directory>

References

https://docs.phpmyadmin.net/en/latest/config.html
https://www.tecmint.com/change-secure-phpmyadmin-login-url-page/
https://www.webmoves.net/blog/build/restrict-phpmyadmin-to-a-specific-ip-address-3199/