Support

Admin Tools

#12259 phpmyadmin-folder inside public_html-folder / Is this dangerous?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Friday, 11 May 2012 10:09 CDT

Friday, 11 May 2012 09:26 CDT

amorim

Security question unrelated to technical details – provider related issue.

Hi Nicholas,

I have my site in 2 different languages and host them with providers in different countries. After installing the AdminTools firewall on the second server, I could not log in via phpmyadmin – got blocked out – even though this was never an issue with the first provider.

Hotline told me that my .httaccess file was causing the problem (= the AdminTools firewall) and commented out following commands:

#RewriteCond %{REQUEST_FILENAME} (.php)$
#RewriteCond %{REQUEST_FILENAME} !(/index[23]?.php)$
#RewriteCond %{REQUEST_FILENAME} -f
#RewriteRule (.*.php)$ - [F]

And the issue was solved – at least what concerns the provider...

I found out that the first provider keeps the phpmyadmin folder outside the public_html folder (good old cpan interface). The second provider keeps the folder inside. I asked, but I can't change this, that's how their system was configured.

My question: how dangerous is it to leave the .htaccess file without these 4 commands?

Should I delete the comments and put them back temporarily only when I need to access the databases? (Not that often). It would be a bit of a pain, but better safe than sorry.

Thanks!

Friday, 11 May 2012 09:32 CDT

nicholas
Never, EVER, directly edit the .htaccess file generated by .htaccess maker. Instead, please add your phpMyAdmin directory in the "Allow direct access (including .php files) to these directories" area, as per our documentation instructions.

Regarding having phpMyAdmin in a publicly accessible location of your server, I consider it a bad idea. For a good dose of what other geeks say about securing phpMyAdmin, I will ask you to take a look at the relevant StackOverflow thread.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Friday, 11 May 2012 10:03 CDT

amorim
Thank you very much, Nicholas. I have done as told. (Please close ticker.)

Now trying to get provider to move said folder out of public_html. Another thing learned.

Have a good weekend!
Edited by amorim on 2012-05-11 10:04 CDT

Friday, 11 May 2012 10:09 CDT

nicholas
You're welcome!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!