Unprotected phpMyAdmin interface
Description
phpMyAdmin is a web-based administration interface for MySQL databases. This vulnerability occurs when phpMyAdmin is accessible without authentication due to the MySQL root account having no password set. By default, MySQL installations create a root account with an empty password, allowing unrestricted administrative access to anyone who can reach the phpMyAdmin interface.
Remediation
Immediately set a strong password for the MySQL root account to prevent unauthorized access. Use the mysqladmin command-line tool to set the root password:
mysqladmin -u root password 'NewStrongPassword' # If root already has a password that you're changing: mysqladmin -u root -p'OldPassword' password 'NewStrongPassword'
Alternatively, connect to MySQL and use SQL commands:
mysql -u root ALTER USER 'root'@'localhost' IDENTIFIED BY 'NewStrongPassword'; FLUSH PRIVILEGES;
After setting the password, update the phpMyAdmin configuration file (config.inc.php) with the new credentials if using the 'config' authentication type, or ensure users are prompted to log in. Additionally, restrict access to phpMyAdmin by implementing IP-based access controls in your web server configuration and consider using HTTP authentication as an additional security layer.