Category Archives: Security

Protect your phpMyAdmin folder, or …

… you are asking for trouble. I learned this valuable lesson past weekend. You need to protect your phpMyAdmin folder from outside world or you are asking for trouble.

I went to a conference about security called Hackintosh, where we had a competitive event called ‘Capture the Flag’. The event was structured like a game and consisted of 10 different levels. At each level, you have to solve a problem by hacking into a sample application using some vulnerability. Each level had problems in increasing order of complexity and most of them were very interesting.

After about 4 levels, I found out that the phpMyAdmin folder of the server, in which the event site was hosted, was public. I logged into the database (it didn’t asked me for the password) and updated the level column corresponding to my username row to 10. That’s it, I conquered the flag. In the end, I ended up hacking the Hackintosh 😉

Jokes apart, the valuable lesson I learned from this event is that you should never leave the phpMyAdmin folder (if installed) open. You can do the following instead.

  • Totally get away with phpMyAdmin and connect to the database using port forwarding in PuTTY.
  • If you cannot get away with phpMyAdmin, then at least password protect the folder and database access.
  • If you cannot password protect the folder at least rename it. (Not recommended at all)

So do you still have your phpMyAdmin folder open? 🙂

Posted in Events/Conferences, Security | Tagged , , | 8 Comments