Portable phpMyAdmin – Unsafe For WordPress Consumption
In June of 2011, my colleague Sarah Gooding wrote about a phpMyAdmin plugin that posed a HUGE security risk. Because of the security risk, this plugin was removed from the WordPress repository and it was recommended that everyone stop using it and remove it.
Now, there’s another dangerous plugin in the WordPress repository – Portable phpMyAdmin.
How Dangerous Is This Plugin?
VERY!! In fact, stop reading right now. Go to any websites where you have this installed, deactivate it, and delete it. If after reading this you want to reinstall it, the information will still be in the database, but you’ll be protected in the meantime.
What Is It Supposed To Do?
The concept here appears to be pretty simple – and maybe that’s part of the problem. The idea is that once you are logged in to your admin section of your website, you can access your underlying database by simply navigating to the Portable PMA menu. Once you click on that selection, you’ll see phpMyAdmin open inside of your WordPress Admin section. Not so bad right? I mean, you are the admin, you should be able to see that.
O.K. So What’s The Problem?
If an admin can access this information, then there should be NO problem, correct? If you’d like to follow along with this, create a temporary WordPress installation on a test domain and create a user account with the “Subscriber” role – the least privileges that a WordPress user can have by default. Log out of your admin account and log back in using that “Subscriber” login. You should see your Subscriber Profile page as shown below:
Well, no danger there, is it? The subscriber can only access their own personal profile page and NOTHING else. Looks pretty innocuous to the most casual observer on the scene.
Now, type the following:
into your browser address bar (changing “yourdomain.com” to your actual domain name and press “Enter”.
What do you see?
You probably see phpMyAdmin and the underlying tables of your website as shown in the image below.
A subscriber to your website, who knows about this little trick, now has complete access to your underlying database. Do you think any damage can be done now?
Depending upon your server and database configuration, someone at this screen can destroy data, delete databases, create new databases, and generally wreak havoc on your WordPress website. If all your databases are common to one another, they now not only have access to the database for the website you have this installed on, but EVERY database in the cluster.
Choose a database from the dropdown on the left of the screen and see what you find. You will see all the tables in the database and a lot of information about them.
Think I’m panicking? Give it a try. Do something simple like change the UserName of your Admin Login – remember you are logged in as a subscriber ONLY and you would not normally be able to do this.
How Do You Do This?
From the Database dropdown on the left side, choose the database you want to modify (hint, it will NOT be information_schema). Once the list of tables is showing, choose wp_users (for a single site installation) or wpmain_users (for a multisite installation).
More than likely, the “Structure” tab will be active, so click the “Browse” tab and you will see the data stored in your database table in the bottom half of your screen. Click the box beside one of the usernames and click the pencil icon below the table contents. Note: Don’t use the pencil icon in the list of records as it takes you to your website and will probably give a 404 Error.
When the new screen opens, you can change the username and the email address associated with it and you now have control over that website. Don’t bother to change the password as it’s encrypted. Just use the “Forgot Password” feature in WordPress to change it and you are now set to go.
There. That was easy wasn’t it. You have now taken over someone’s WordPress website – and it took very little time and effort to do it.
What Else Can Be Done?
As I said earlier, depending upon your server and database configuration and security settings, a lot can be accomplished. My server will not allow new databases to be created, but not all servers are configured that way. If that is not prohibited, then an unscrupulous person could create new databases, modify anything in your existing databases, delete your data or your databases, and a host of other things that can create more headaches than you really want to deal with. The simplicity and ease of accessing your database yourself is not worth the potential for problems created by someone else accessing that same information.
Is this plugin still on your website? Well, what are you waiting for? Disable it…delete it…and never look back!
Shouldn’t The Developer Be Working On This?
The developer – and a few other people – have been working on this. In fact, Kapersky reported on December 14, 2012 that the solution was to update to version 1.3.1 because the developer had fixed the issues. Everything that you have seen in screenshots in this article is using that latest version and as you will see, the security hole still exists. Try it for yourself and verify my findings.
Regardless of the security changes that the developer – or anyone else – makes, I will not be using this plugin now or in the future. With all the other MySQL tools available, I’m not certain why you would actually need to have access to your database in the admin section like this plugin allows. There are better solutions that don’t compromise your security.
What Is A Better Solution?
There are several MySQL access solutions available on the market. Look into these:
Personally, I’ve found phpMyAdmin to be a real pain to use. I like and use Navicat regularly. I’ve found nothing so far that I’ve needed to do that Navicat could not do. As for all the others, I leave that to you without any opinion of my own.
If you use any of these – or any other tool to access your MySQL database, please tell us about your experience in the comments below. I’d love to hear your thoughts and I’m sure our community would be interested as well.