Hi Guys,
I've just had a major security hole reported to me by Colin Keigher (AnimeFreak) animefreak@users.sourceforge.net It relates to how some sites have PMA set up (they have username and password hardcoded, without any .htaccess protection).
Basically, by searching on Google for "Welcome to phpMyAdmin" or it's translated equivilents, you can find a lot of PMA installations. You can put the version number in there as well, like "Welcome to phpMyAdmin 2.3.0-rc1" Here is a sample URL to search: http://www.google.ca/search?hl=en&ie=UTF-8&oe=UTF-8&q=%22Welcome...
With using some of these URL's you can do stuff like: http://www1.tsimtung.com/phpMyAdmin/sql.php?goto=/etc/passwd&btnDrop=No
Here is a front page: http://garfield.vet.fnt.hvu.nl/counter/myadmin/
And other nefarious things. I found a few sites where I could access their entire database with full rights, even some where they have configured the user to root and I could change the mysql database.
This is what we need to do to fix it: 1. All served up pages should contain directives to instruct search robots not to index the files. This will stop so many sites being listed in the search engines.
2. We should deprecate the user/password standard login, or add a bit of technology to it. We should throw up a login page of our own, that should authenticate against a user/password pair in an array inside the configuration file. It might be possible to keep the automatic login of user/password, but it should not be enabled by default, for security. And the configuration option to turn that unsecure method back on should have huge warnings around it.