Detections
Analytics

phpMyAdmin Installation Not Password Protected

high Nessus Plugin ID 40352

Language:

Synopsis

Access to the remote PHP application is not password protected.

Description

The version of phpMyAdmin installed on the remote web server allows unrestricted, unauthenticated access. This is likely due to setting the 'auth_type' to 'config' and storing login credentials in the configuration file.

A remote attacker could exploit this to execute arbitrary SQL queries, delete databases, or possibly even execute arbitrary code remotely.

Solution

Restrict access to phpMyAdmin using one of the methods referred to in the vendor's documentation.

See Also

https://docs.phpmyadmin.net/en/latest/#authentication_modes

Plugin Details

Severity: High

ID: 40352

File Name: phpmyadmin_unpassworded.nasl

Version: 1.11

Type: remote

Family: CGI abuses

Published: 7/23/2009

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Required KB Items: www/PHP, www/phpMyAdmin

Excluded KB Items: Settings/disable_cgi_scanning