Wednesday, June 29, 2011

phpMyAdmin as a potential security vulnerability

I really like phpMyAdmin. I use it all the time when developing web apps, to configure my databases. There are probably better tools out there, but this fits the bill for me. It allows doing things like adding fields to a table or configuring indexes using a web-based interface, with no need to remember complex SQL syntax. More importantly, by presenting you all options available for an operation it forces you to think through the operation you're about to perform. It also comes bundled in the MAMP tool that I use as an environment for web development on my Mac.

While it's perfectly fine to use phpMyAdmin in a development environment, I don't think it's a good idea to use it on a production server. It makes it easy for an attacker to brute-force their way into your database. What's the use of properly configuring your MySQL server so that it can be accessed only by scripts running on your web server if you're going to provide them a backdoor that can be accessed with a web app ? Probably that's why you won't find this tool available to install with package managers like yum.

You may think you're going to outsmart the attackers and rename the app to a different name, to make it hard to find, which is essentially relying on security by obscurity. If you really go that route I'd recommend you keep the app available on your site only for a short duration, while you're using it, then move it to a folder that's not accessible via the web. And choose a hard to guess name. I once did that and chose to name it "pma" instead of "phpMyAdmin". Going through the server log the other day I found this trail of probes:


[Mon Jun 27 12:25:39 2011] [error] [client 69.164.2.14] File does not exist: /var/www/html/pubpit/phpMyAdmin
[Mon Jun 27 12:25:39 2011] [error] [client 69.164.2.14] File does not exist: /var/www/html/pubpit/phpmyadmin
[Mon Jun 27 12:25:39 2011] [error] [client 69.164.2.14] File does not exist: /var/www/html/pubpit/pma
[Mon Jun 27 12:25:39 2011] [error] [client 69.164.2.14] File does not exist: /var/www/html/pubpit/myadmin
[Mon Jun 27 12:25:40 2011] [error] [client 69.164.2.14] File does not exist: /var/www/html/pubpit/MyAdmin


Luckily by that time I've grown wiser and had that removed long before the attempted attack. So they'll come on knocking, make no mistakes about it.

A better approach to interact with MySQL is using the mysql command prompt tool, that you'd access once you're logged into your server, via a SSH connection. The only thing is that now you need to enter SQL commands. phpMyAdmin comes to the rescue here with its ability to display the equivalent SQL commands that produce the same effect as the command you performed via its web interface. So you can simply copy and paste those commands at the command prompt. So you're running phpMyAdmin in your development environment, copy the SQL commands and paste them into your command prompt tool running on your production server.

Alternatively, you can also use the "Create PHP Code" link to build up a configuration/install script that sets up your application on the web server. You'll find this all the time with off-the-shelf apps, and such a script also helps distributing your app to the users and repeating the installation on many servers. Just one caveat, make sure you remove that script once you're done configuring, or code it in such a way that subsequent invocations wouldn't cause harm. The last thing you want is a wise guy calling that script and bringing your whole database to a clean slate :).