If you don't want to fork out the $30 for a cert, then Use HTTPS, otherwise data and passwords can be leaked to anĪttacker. Vulnerability scanners like Nessus/Nikto/Acunetix/w3af will scan for this.įirewall off tcp port 3306 so that it cannot be accessed by an attacker. htaccess reulset:ĭo not have a predictable file location like. Whitelist IP address who have access to the phpmyadmin interface.file_priv is one of the most dangerous privileges in MySQL because it allows an attacker to read files or upload a backdoor. Remove file_priv permissions from every account.If you need some root privileges, create a custom account that can add/drop/create but doesn't have grant or file_priv. DO NOT ALLOW REMOTE ROOT LOGINS! Instead phpmyadmin can be configured to use "Cookie Auth" to limit what user can access the system.PhpMyAdmin lacks strong bruteforce protection, so you must use a long randomly generated password.Here is a great way to lock down phpmyadmin: As a pentester I have used this attack pattern to compromise a system. Thank you guys, Hope my article helps you.The biggest threat is that an attacker could leverage a vulnerability such as directory traversal, or using SQL Injection to call load_file() to read the plain text username/password in the configuration file and then Login using phpmyadmin or over tcp port 3306. See second bug here (Resolution provided by Chaloemphon Thipkasorn).See first bug here (Resolution provided by Chaloemphon Thipkasorn).Change root login to password type by executing the commandĪLTER USER IDENTIFIED WITH mysql_native_password BY ‘ root password created the moment of installing mysql’ įLUSH PRIVILEGES Bugs you could encounter while accessing phpMyAdmin (PHP7.2 + phpMyAdmin).– Press “ space” to select apache2 ( *) then press “ tab key” and “ enter” to confirm.īy default you cannot login as root user through phpMyAdmin. Then follow steps below after each prompt respectively To install it you need to execute the command below PhpMyAdmin facilitate accessing and managing your MySQL database via a web page. To check if PHP is installed successfully, go to /var/Feel free to remove it or modify it) and copy past the code below in itĪfter visiting the link (x.x.x.x public IP address of your EC2 instance), you will see this page ![]() We need to restart apache to get last system changes ![]() Sudo apt-get install php-mysql php-curl php-gd php-json php-zip php-mbstring php-mcrypt Sudo apt-get install php libapache2-mod-php# necessary modules for PHP server ![]() ![]() To install PHP and some other most commonly needed modules, we will use again apt-get and executing the command below You will be prompted to MySQL command screen. Now after finishing installation you can check if MySQL works fine by logging to your database using the command.
0 Comments
Leave a Reply. |