… you are asking for trouble. I learned this valuable lesson past weekend. You need to protect your phpMyAdmin folder from outside world or you are asking for trouble.
I went to a conference about security called Hackintosh, where we had a competitive event called ‘Capture the Flag’. The event was structured like a game and consisted of 10 different levels. At each level, you have to solve a problem by hacking into a sample application using some vulnerability. Each level had problems in increasing order of complexity and most of them were very interesting.
After about 4 levels, I found out that the phpMyAdmin folder of the server, in which the event site was hosted, was public. I logged into the database (it didn’t asked me for the password) and updated the level column corresponding to my username row to 10. That’s it, I conquered the flag. In the end, I ended up hacking the Hackintosh
Jokes apart, the valuable lesson I learned from this event is that you should never leave the phpMyAdmin folder (if installed) open. You can do the following instead.
- Totally get away with phpMyAdmin and connect to the database using port forwarding in PuTTY.
- If you cannot get away with phpMyAdmin, then at least password protect the folder and database access.
- If you cannot password protect the folder at least rename it. (Not recommended at all)
So do you still have your phpMyAdmin folder open?