I was looking for the wiki of a popular Linux based firewall site.我一直在尋找這個wiki的一個受歡迎的基於Linux的防火牆的網站。 The main url was 404, so I went up one level hoping to find a new url.主網址是404 ,所以我上升了一個層次,希望找到一個新的網址。 Suddenly I had a directory listing with interesting files and a link to phpMyAdmin.突然間我有一個目錄清單與有趣的文件和鏈接phpmyadmin 。 Wondering how a firewall site maintains its own security, I clicked on phpMyAdmin, fully expecting a password prompt.想知道如何在防火牆的網站保持其自身的安全,我點擊phpmyadmin ,充分預期密碼提示。

Surprisingly I found phpMyAdmin of the site to be openly accessible to all.令人驚訝的我發現phpmyadmin的網站,公開向所有。 It showed several databases including but not limited to bugtracker, wiki, drupal and one that looked like invoice database.它表明,幾個數據庫,包括但不限於錯誤追踪系統裡, Wiki上, drupal和一個看上去像發票數據庫。 I dared not venture further. i不敢創業進一步。 I immediately sent an email to the only contact email I found in their old documentation.我立即發出一封電子郵件給唯一的聯絡人電子郵件我發現在他們的舊文件。 It is really scary.實在是可怕的。

This is a serious problem.這是一個嚴重的問題。 By opening up phpMyAdmin you expose all your data in MySQL database to the world at large.開放phpmyadmin您揭露您所有的數據在MySQL數據庫向世界在逃。 This allows anyone to view and modify your data and your website too.這使得任何人查看並修改您的數據和您的網站太多。 CMS like drupal, blogging software like WordPress or most wiki are MySQL database driven.細胞質雄性不育一樣, drupal ,博客軟件一樣,在WordPress或大部分的wiki是MySQL數據庫驅動的。 Allowing anyone to change the database directly allows them to change your website too and view all your confidential information.不允許任何人改變數據庫直接讓他們改變您的網站也和查看您的所有機密資料。 They can even use your website for phishing expeditions so you will be finally blamed for their phishing activities.他們甚至可以使用您的網站,為網絡釣魚探險所以,您將最後歸咎於他們的網絡釣魚活動。

phpMyAdmin is a popular web based MySQL database management tool written in PHP. phpmyadmin是一個流行的基於Web的MySQL數據庫管理工具, PHP編寫的。 It allows you to protect the web interface using a password but many, either due to laziness or for convenience, decide to disable the password which can have serious consequence.它可以讓您保護的Web界面使用密碼,但很多,無論是因懶惰,或為方便起見,決定要禁用密碼可以有嚴重的後果。

How can you protect phpMyAdmin? 你如何能保護phpmyadmin ?
1. 1 。 You must assign a login & password for accessing the directory.您必須指定一個登錄和密碼進入目錄。

2. 2 。 You should restrict access to specific IP addresses only which you are likely to use to access the data你應該限制使用特定的IP地址,只有你有可能使用訪問數據

3. 3 。 Change the directory name to something more obscure than the default phpMyAdmin which is created in a standard rpm install.改變目錄名稱,以更模糊,比默認的phpmyadmin這是建立在一個標準的RPM的安裝。 This is called security by obscurity.這是所謂的安全由默默無聞。