2

I found that in several websites, [HOSTNAME]/phpmyadmin/setup/index.php is accessible by default without authentication. However, it seems impossible to modify anything or to do security damage. Also, the website database is not accessible via this panel.

Is there any security risk with that? If not, what is the purpose of such thing?

Anders
  • 64,406
  • 24
  • 178
  • 215
Duke Nukem
  • 687
  • 3
  • 9
  • 20
  • 1
    General security practice is to remove or limit everything not absolutely necessary - even if there are not current exploits available, there may be in the future. If end users don't need that app, don't let give them access to it. – crovers Sep 26 '16 at 13:38

2 Answers2

3

Well this is a huge security risk. Even though it is impossible to modify data if nobody can view your database structure though this security panel they can use zero day security flaws in phpmyadmin to get your information.

Generally speaking you should manage your database through an endpoint that is not accessible to every visitor of your website.

You should move this to a secure location. Some other subdomain that is protected by some filter or something like that.

melanholly
  • 168
  • 5
1

As a phpMyAdmin team member my advice is: just delete the folder once your setup is done. It would avoid creating an endpoint for attackers.

William Desportes
  • 111
  • 3