phpMyadmin – Exploited Wildly in Public

Vulnerability in phpmyadmin in squeeze has been exploited wildly in public.”

Come on people. If you need a GUI to administer MySQL there are better ways to do it than to expose a PHP script to the world:

  • restrict phpMyAdmin to “localhost” and forward port 80 via openSSH
  • restrict phpMyAdmin to “localhost” and forward X to access a GUI client application, or
  • forward the port for MySQL over openSSH and use a GUI client where you are.

The key is port-forwarding using openSSH. This should be the default means of transmitting sensitive data over the network. This encrypts the data and prevents anyone anywhere from having access.

Run this on your PC ssh -q -L 4025:remote-server:3306 username@remote-server and MySQL will be available on local port 4025. Then run phpMyAdmin or MySQL-query-browser or other GUI on your local PC. You can use 3128 as the local port instead of an arbitrary port like 4025 if you are not running MySQL there already.

If you have multiple users needing the access, do the same thing for each of their PCs.

Of course phpMyAdmin needs fixing but port-forwarding is a quick fix in many cases and may well prevent other vulnerabilities from biting. The simplest solution is often the best in terms of performance and security. The particular vulnerability is only exploitable by authenticated users but you never know what the future holds. A layered defence minimizing risk at each layer is best.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology. Bookmark the permalink.

One Response to phpMyadmin – Exploited Wildly in Public

  1. oiaohm says:

    From time of report to fixed in sid testing and stable is 3 days. Not to bad really.

Leave a Reply