phpMyAdmin Security Bulletin

phpMyAdmin Security Bulletin

2011-06-23. Category & Tags: Others Others

**!!! Security Bulletin !!!

FutureQuest strongly recommends password protecting ALL phpMyAdmin installations.

!!! Security Bulletin !!!
**

All right, so you want to install phpMyAdmin.

First, go to http://www.phpMyAdmin.net and download phpMyAdmin.

(Note: The following instructions were written for phpMyAdmin version 3.3.8, which requires PHP5 and MySQL5. PHP5 is currently the default PHP at FutureQuest. MySQL5 is the default on all new packages and available by request on legacy accounts. Check the Server Info section of your CNC (Command’N’Control) panel for your account’s configuration. If you are installing a different version of phpMyAdmin, there may be some slight changes to the instructions below.)

TIP: Before beginning this installation, make sure you have the following information on hand: name of the MySQL ‘host’ server, your username for MySQL access, and your MySQL password. You can find the information for the host name and username by visiting the MySQL Account Manager in your CNC (Command’N’Control) panel. If you have forgotten your MySQL password, you will also be able to reset it through your MySQL Account Manager. Note that doing so will change the MySQL password for all of your MySQL databases.

Please also make sure that you have cookies enabled in your browser.

Next, unzip/untar all the files and directories. According to the directions included with phpMyAdmin (Documentation.html):

“Warning for Mac users:
if you are on a Mac OS version before OS X, StuffIt unstuffs with Mac formats.
So you’ll have to resave as in BBEdit to Unix style ALL phpMyAdmin scripts
before uploading them to your server, as PHP seems not to like Mac-style end of
lines character (“r”).”

Once you have uploaded the files to the server, you will need to configure phpMyAdmin with your specific settings. There are two ways to do so. One is to use the wizard-style setup script that is included with phpMyAdmin, which will provide a graphical interface for inputting the settings (but seemed to be a little buggy at the original time of this writing). The other way is to create a config.inc.php file yourself, which in truth is not any more difficult and allows for some advanced features.

For the purposes of this tutorial, we will be using the second option of creating the config.inc.php file but we are only going to be working with the minimum requirements. For more advanced users or those who wish to have the advanced features, please consult the documentation included with phpMyAdmin. Additional support in this area may also be able to be found in the FutureQuest Community Forums:
http://www.AOTA.net/Forums/

To get started, you’ll need to create a file named config.inc.php directly within your phpMyAdmin directory. (There may be a config.sample.inc.php file in there already and, if you wish, you can create a copy of it and name it config.inc.php to use it as a template.)

Note: phpMyAdmin first loads libraries/config.default.php and then overrides those values with anything found in config.inc.php. If the default value is okay for a particular setting, there is no need to include it in config.inc.php. You’ll need a few directives in your config.inc.php file though to get going and a simple configuration may look like this:

`  
?php  
$i=0;  
$i++;  
$cfg['PmaAbsoluteUri'] = 'http://example.com/pma/'; 
$cfg['Servers'][$i]['host'] = 'MySQL.example.com'; 
$cfg['Servers'][$i]['auth_type'] = 'cookie'; 
$cfg['blowfish_secret'] = 'Joey did 125 jumping jacks Tuesday morning!';  
$cfg['Servers'][$i]['user'] = ''; 
$cfg['Servers'][$i]['password'] = ''; 
?
`

Your settings need to be entered in between the ’ ‘ marks after the equal signs. A description of the settings follows, as well as the specific changes you need to make to the above sample configuration to have it work on your FutureQuest hosting package:

$cfg[‘PmaAbsoluteUri’] = ‘http://example.com/pma/'; – replace example.com with your domain name and pma with the name of the directory that contains your phpMyAdmin files

$cfg[‘Servers’][$i][‘host’] = ‘MySQL.example.com’; – replace example.com with your domain name

$cfg[‘Servers’][$i][‘auth_type’] = ‘’; – dictates the authentication method used when connecting to your phpMyAdmin installation - see below

The options for authentication are:

  • cookie (recommended method)
  • http
  • config
  • signon

cookie and http authentication methods - These methods are considered more secure than the config method, as your username and password are not stored on the server in your configuration file.

The ‘http’ option uses the Apache http authentication method. The ‘cookie’ method uses cookies and has the advantage that you can “Log Out” at the end of your session, deleting the cookie. The above sample config.inc.php file is based on the cookie authention mode.

config method - This method requires storing your MySQL username and password in the file on the server. Therefore, if you choose to use the config option, you will need to be sure to password protect the directory that your phpMyAdmin files reside in as otherwise anyone who would find the directory to your phpMyadmin installation would then be able to access your databases. This is EXTREMELY important. Do not skip the password protection step if you choose the config method. For information on how to password protect directories, visit the Password Protection Tutorial.

$cfg[‘blowfish_secret’] = ‘’; – used with the cookie method only. If you specified cookie in the auth_type above, type in a random phrase up to 46 characters long for this setting. This passphrase is just used internally to encrypt the password - you will not be prompted for it later.

$cfg[‘Servers’][$i][‘user’] = ‘’; – MySQL username if you are using config method - otherwise leave blank

$cfg[‘Servers’][$i][‘password’] = ‘’; – MySQL password only if you are using config method - otherwise leave blank

Make sure you don’t have any blank lines at the end of the file and save it as config.inc.php.

Now, open your web browser and visit
http://www.example.com/pma/index.php

(replace example.com with your domain name and pma with whatever directory your phpMyAdmin is in). You should see a welcome page and, after logging in with your MySQL username and password if you used the cookie method above, you will be able to start working with your databases!

Important Note: For security reasons, phpMyAdmin now recommends that all installations protect access to the ./libraries and ./setup/lib subfolders in your phpMyAdmin directory. The easiest way to do this is probably just to password protect your entire phpMyAdmin directory. For information on how to password protect directories, visit the Password Protection Tutorial.

!!! Remember !!! If you used the config authentication method, you will want to immediately password protect your phpAdmin directory to secure it and prevent general access.

FutureQuest strongly recommends password protecting ALL phpMyAdmin installations, even if using the cookie or http authentication options, as extra protection against unauthorized access.