Database Dumped by Intruder

“We had reluctantly provided access to phpmyadmin to the appdb developers (it is a very handy tool, and something they very much wanted). But it is a prime target for hackers, and apparently our best efforts at obscuring it and patching it were not sufficient.”

see announcement on WineHQ’s mailing list

Why “software developers” would need access to the databases via phpMyAdmin is bizarre. It’s a general-purpose tool not really suitable for securely presenting stuff to the web. The particular data developers might need could be presented by a particular web application. Modularity is key. A breach does then not mean the house falls down.

From“phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the World Wide Web. phpMyAdmin supports a wide range of operations with MySQL. The most frequently used operations are supported by the user interface (managing databases, tables, fields, relations, indexes, users, permissions, etc), while you still have the ability to directly execute any SQL statement.”

That may be fine for low-value data, it only takes one password to be compromised to dump everything. That’s weak. Further, the complexity of phpMyAdmin (feature-bloat rather than necessity) makes it vulnerable to a myriad array of attacks. e.g. This cascade.

There are many ways that phpMyAdmin can be used securely if access is restricted to a particular user, the administrator, but phpMyAdmin should not be depended upon to secure itself. History shows that repeatedly. One could use openSSH to give a remote system administrator secure access by a session run on the server, for instance. And openSSH can be secured even further than its already good security level by shifting ports, knocking etc. What were they thinking? FLOSS gave them tools to secure their system and they ignored them. There are thousands of sites on the web running phpMyAdmin, often older versions, and some of them running as root without a password…

phpMyAdmin is a useful tool but it was clearly the wrong tool for the job they gave it. Unfortunately there are still thousands of sites running phpMyAdmin as root and Google can find them. Most of these should be restricted to “localhost” or the local LAN.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

3 Responses to Database Dumped by Intruder

  1. oiaohm says:

    Phenom the issue here read fully.

    The risks where known at start. Risk was taken because it was betted it would not be attacked. This was kinda a mistake. Obscuring methods to hide the attack point were taken. Yet those were not good enough. At this stage they have not said what Obscuring has been used.

    Yes phpmyadmin has been blamed on windows for comprises as well.

    FOSS someone is always responsible and most running it do own up. Windows runners are not that truthful.

    Contrarian this is not party line. If you go back in the wine mailing list the appdb developers were asking for access to do there work and codeweavers admins were blocking on secuirty issues. Really they should have held their ground.

    This is the big difference what happened is on a public record. So no lieing is possible. No incorrect placement of blame is possible. I would love to see some windows admins have to live with this fact. Of all there advice and actions being matter of public record so open to investigation after the fact of breach.

    “it was either by compromising an admins credentials, or by exploiting an unpatched vulnerability in phpmyadmin.”

    Yes the FOSS application is being possibly blamed at this stage. Of course the will be going into logs and other things to try to work out what one happened. There is a chance the breach was nothing more than user name and password breached.

  2. Contrarian says:

    Well, sure. That’s the party line and #pogson is, if nothing else, a loyal trooper. He has received the FSF Legion of Merit award for being the most prolific user of GNU/, as in GNU/Linux, as well.

  3. Phenom says:

    Of course, it is always user’s fault, when a F(L)OSS system is compromised.

    With “the other OS”, the user is always innocent.

Leave a Reply