LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Securing phpMyAdmin (https://www.linuxquestions.org/questions/linux-security-4/securing-phpmyadmin-63109/)

martinman 06-01-2003 07:22 PM
Securing phpMyAdmin
 
Hey all, just installed phpMyAdmin 2.5.1rc1, and it's great

however, i have some security issues:
in my config file, i have my auth_type set to http, so my .htaccess file can handle it.

if i go to http://localhost/phpMyAdminfolder/ I get a login prompt, which is good. I can login with root or martinman with passwords, which works fine.

however! i can also login with ANY username (even asldfalt) and NO password, even though i can't even see any databases.

I want it to be so that the ONLY accounts that can get in are martinman and root

here's my .htaccess file:
Code:
AuthUserFile /var/www/html/phpMyAdmin-2.5.0-rc1/.htpasswd
                                                                                                                                           
AuthGroupFile /dev/null
                                                                                                                                           
AuthName phpMyAdmin
                                                                                                                                           
AuthType Basic
                                                                                                                                           
<Limit GET>
                                                                                                                                           
require martinman
require root
                                                                                                                                           
</Limit>
and my .htpasswd file:
Code:
martinman:encrypted stuff
root:encrypted stuff
any help ASAP would be great

unSpawn 06-02-2003 11:34 AM
What does the apache log and errorlog say?
Could you post the complete config for the dir you're trying to passwd (starting and ending with the "directory" tag)? Btw, it would be more secure if you placed the passwd file outside of the docroot no user except Apache's need reading it.

markus1982 06-02-2003 12:13 PM
your base php configuration should of course ALSO be secure. like with basepath, safe_mode, etc enabled and properly configured!

martinman 06-02-2003 02:09 PM
erm, could you guys walk me through as where my apache log is, and how to enable php safe mode?

unSpawn 06-02-2003 04:23 PM
The easiest way to find your Apache logs is to read your own http.conf, or check the default log dir locations.


All times are GMT -5. The time now is 12:43 PM.