phpMyAdmin Security Issue

mr_dizzle · 12-16-2004, 01:36 AM

i'm not sure if this is the right area to post.

i am not using any panel to create sites for customers (done by hand).

in order to give them phpMyadmin, i simply copy the phpadmin directory from an existing site and then edit config.inc.php and change the DB Name, DB username and DB password.

in order to protect http://theirdomain.com/phpadmin, i drop an .htaccess file in that directory to protect from the public.

there are 2 issues i am having.

1) once they get in to phpMyAdmin, if they click on the "databases" link from the main page, it shows them all of the DB's on the box and are able to to whatever they want to them.

2) this has a less of a chance of happening but, if they edit the config.inc.php file and leave the DB Name blank then they can see all the DB's on the box in the left panel as soon as they login.

how can i lock users to view only the DB's that they have rights to?

i am using webmin to create the DB's and use webmin to set the permissions.

david_ross · 12-17-2004, 12:34 PM

The best way to fix this would be to remove the .htaccess file and the login credentials from the config file and set phpMyAdmin up as a multi user installation using http authentication - see the phpMyAdmin docs for info:
http://www.phpmyadmin.net/documentation/#controluser

mr_dizzle · 12-28-2004, 12:48 AM

this is exactly what i ended up doing. took the database name and user/pass out of config.inc.php and put just one copy of phpMyAdmin on the server. i set config.inc.php to use http auth. i then dropped an .htaccess file in the phpMyAdmin directory and set up the .htpasswd file to have the customers DB username/password. so now when they enter their DB user/pass in to .htaccess, it lets them in but only shows them the DB's that are permissible with that user/pass.