Increase of phpMyAdmin scans

Published: 2017-08-07
Last Updated: 2017-08-07 08:08:08 UTC
by Xavier Mertens (Version: 1)
1 comment(s)

PMA (or "phpMyAdmin") is a well-known MySQL front-end written in PHP that "brings MySQL to the web" as stated on the web site[1]. The tool is very popular amongst web developers because it helps to maintain databases just by using a web browser. This also means that the front-end might be publicly exposed! It is a common finding in many penetration tests to find an old PMA interface left by an admin.

Even if PMA restricts access with a login page, there is a lack of protection against brute-force attacks. One of my favourite tool to perform such attack is Patator[2].

$ patator http_fuzz url= \ 
method=POST \ 
body="pma_username=admin&;pma_password=COMBO00&server=1&target=index.php&lang=en&token= \ 
0=dictionary.txt \ 
before_urls= \ 
accept_cookie=1 \ 
follow=1 \ 
-x ignore:fgrep="Cannot log in to the MySQL server"

Today, I detected an increasing amount of attempts to find PMA interfaces against my honeypots. Here is an extract of the tested URLs:


Also, older releases of phpMyAdmin have multiple known vulnerabilities[3]. Databases are critical components in most modern web applications. If there is a lack of protection, it should be possible to access other (internal? confidential?) databases from a compromised phpMyAdmin. My advice is to simply NOT expose these administration tools to the wild Internet and, if it is required, to not rely on the default protection mechanisms. A simple extra protection layer is to restrict access to internal hosts or VPNs with an IP access-list. An example with Apache:

<Directory "/pma">
    order deny,allow
    deny from all allow from
    allow from


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

1 comment(s)


this is so simple for me as well. I dont use a directory directive, I use a LocationMatch directive. I know its probably redundant, but i made it a really long time ago

<LocationMatch "admin">
Order Deny,Allow
Deny from All
Allow from
<LocationMatch "Admin">
Order Deny,Allow
Deny from All
Allow from

Diary Archives