Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Does phpMyAdmin pose security risk on production

The VPS I was using used to have phpMyAdmin pre-installation option but removed it stating it poses security risk. Does it?

If so do you recommend an alternative for browsing DB on production (other than running SQL commands in console)?

like image 515
Tam Avatar asked Sep 07 '10 19:09

Tam


People also ask

Is phpMyAdmin safe for production?

No, simply. phpMyAdmin has an infamous security history as detailed on SecurityFocus. You don't say what platform you're using, but assuming that you have remote access, I suggest: When you need to perform basic tasks such as checking status or performing a dump.

Is phpMyAdmin a security risk?

The phpMyAdmin developer team is putting lot of effort to make phpMyAdmin as secure as possible. But still web application like phpMyAdmin can be vulnerable to a number of attacks and new ways to exploit are still being explored.

Should phpMyAdmin be publicly accessible?

phpmyadmin is too much of a beast to secure. You'd need mod_security and a week of time debugging the alerts just to disable half of the rules to ensure the functionality of phpmyadmin. Conclusion: Don't make it publicly accessible.

How do I protect phpMyAdmin?

The first step in securing phpMyAdmin is to change the default directory alias that is used to access phpMyAdmin. By default, any user can access phpMyAdmin by accessing the server URL: https://<SERVER IP/DOMAIN>/phpmyadmin. The Alias will now be used as the directory used to access the phpMyAdmin home page.


2 Answers

Any extra software you add to a system adds complexity. Complexity is the enemy of security.

PHP webapps are notorious for sloppy coding and certainly phpMyAdmin has had more than its share of security holes in the past. You can certainly mitigate the damage by eg. putting behind HTTPS with a client certificate, but that's not going to prevent cross-site-request-forgery attacks.

For a production machine, I'd really prefer to stick to the console.

like image 104
bobince Avatar answered Oct 23 '22 17:10

bobince


There have definitely been security wholes in the past. Probably will find new ones in the future. It's always a risk to open that kind of a tool to public web space.

I recommend installing database management software, and connecting to your production DB through an SSH tunnel. If you're on a Mac, I'd install Sequel Pro for free. On other platforms Navicat (and other similar software) is available, but it does cost money.

like image 34
Ryan Williams Avatar answered Oct 23 '22 17:10

Ryan Williams