phpMyAdmin Installation Not Password Protected

High Nessus Plugin ID 40352


Access to the remote PHP application is not password protected.


The version of phpMyAdmin installed on the remote web server allows unrestricted, unauthenticated access. This is likely due to setting the 'auth_type' to 'config' and storing login credentials in the configuration file.

A remote attacker could exploit this to execute arbitrary SQL queries, delete databases, or possibly even execute arbitrary code remotely.


Restrict access to phpMyAdmin using one of the methods referred to in the vendor's documentation.

See Also

Plugin Details

Severity: High

ID: 40352

File Name: phpmyadmin_unpassworded.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 2009/07/23

Updated: 2018/11/15

Dependencies: 17219

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Required KB Items: www/phpMyAdmin, www/PHP

Excluded KB Items: Settings/disable_cgi_scanning