PhpMyAdmin page Available Publicly

Introduction

phpMyAdmin is an application written in the PHP language that provides a web-based interface for the administration of MySQL databases.

Impact

An attacker can access, modify or delete all MySQL databases.

How to test

We have to put the phpMyAdmin after the URL

Above Screenshot is the PHPMYADMIN page of the application

How to Fix

PHP

Solution 1

To prevent public access to the phpMyAdmin directory we have to add this $cfg['Servers'][$i]['AllowRoot'] = FALSE; in phpMyAdminàconfig.inc.php file.

Solution 2

Do not allow access from the outside world!

phpMyAdmin default Apache configuration:

Alias /phpmyadmin /usr/share/phpmyadmin 
<Directory /usr/share/phpmyadmin> 

        Order Deny,Allow 

        Deny from All 

        Allow from 123.123.123.123 


        Options FollowSymLinks 

        DirectoryIndex index.php 

  

        <IfModule mod_php5.c> 

                AddType application/x-httpd-php .php 

  

                php_flag magic_quotes_gpc Off 

                php_flag track_vars On 

                php_flag register_globals Off 

                php_admin_flag allow_url_fopen Off 

                php_value include_path . 

                php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp 

                php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/ 

        </IfModule> 

  

</Directory> 

References

1. https://docs.phpmyadmin.net/en/latest/config.html

2. https://www.tecmint.com/change-secure-phpmyadmin-login-url-page/

3. https://www.webmoves.net/blog/build/restrict-phpmyadmin-to-a-specific-ip-address-3199/