phpMyAdmin Installation Not Password Protected

High Nessus Plugin ID 40352

Synopsis

Access to the remote PHP application is not password protected.

Description

The version of phpMyAdmin installed on the remote web server allows unrestricted, unauthenticated access. This is likely due to setting the 'auth_type' to 'config' and storing login credentials in the configuration file.

A remote attacker could exploit this to execute arbitrary SQL queries, delete databases, or possibly even execute arbitrary code remotely.

Solution

Restrict access to phpMyAdmin using one of the methods referred to in the vendor's documentation.

See Also

https://docs.phpmyadmin.net/en/latest/#authentication_modes

Plugin Details

Severity: High

ID: 40352

File Name: phpmyadmin_unpassworded.nasl

Version: 1.9

Type: remote

Family: CGI abuses

Published: 2009/07/23

Updated: 2018/11/15

Dependencies: 17219

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:phpmyadmin:phpmyadmin

Required KB Items: www/phpMyAdmin, www/PHP

Excluded KB Items: Settings/disable_cgi_scanning