-2

I am currently working on a server where they are having a PCI scan performed, and one of the failures is that phpMyAdmin is out of date. The problem is that the server is running v4.0.10 and it's asking for v4.2.6. However the issue with this is that he is running MySQL 5.1 and to update to the latest phpMyAdmin you need to be running MySQL 5.5.

Things to take into consideration:

1) He does not want to lockdown phpMyAdmin which was my first suggestion.

2) He can't upgrade MySQL due to compatibility issues with his software.

With that said, I have a few questions:

1) How is this PCI scan detecting the phpMyAdmin version in the first place? I would think this would not be possible.

2) Is there a way to mask the phpMyAdmin version, or perhaps change it so that it shows something else when being scanned? I know that's a half-arsed way to approach things, but still I'd like to know.

If anyone has any input, it would be greatly appreciated!

daniel
  • 103
  • 1
  • 2
  • 7
  • my bad, was actually quite confused on PCI hardware versus PCI money-wise – Félix Adriyel Gagnon-Grenier Jul 31 '14 at 18:05
  • 3
    Stop it. PCI compliance is there to protect the site's customers' personal financial data. Do not take it lightly. Do not cheat the test. Do not open the site's customers up to fraud. Do not open the site's customers up to identity theft. Take a professional approach to security. – Quentin Jul 31 '14 at 18:05
  • PCI compliance is on-topic at [Security.SE](http://security.stackexchange.com). You might have more luck getting answers by flagging this post for migration there. – esqew Jul 31 '14 at 18:09

2 Answers2

3

To answer them in order

A lot of people install phpMyAdmin at default locations. I used to look at 404 errors and notice that they were bots looking for just such a directory and trying every common permutation thereof (/phpmyadmin, /phpMyAdmin, /dbAdmin, etc). I'm not a fan of installing it on a production site because it is a security hole (you're literally making it easy for anyone who wants to to try hammering your database until they find credentials that work). But it's not hard to find unless you're going to put it somewhere totally random.

There's no way to really mask the version without hacking the source. phpMyAdmin readily reports its version on older installs

Machavity
  • 30,841
  • 27
  • 92
  • 100
0

1) He does not want to lockdown phpMyAdmin which was my first suggestion.

This. phpMyAdmin should not be in scope of a PCI scan because it has no business being publicly accessible in the first place - it should at the very least be locked down at the network level to a whitelist of IPs and would better be served sitting behind a VPN.

Additionally if the database is running on the web server then that's another PCI fail due to the mandates on separation of functionality.

2) He can't upgrade MySQL due to compatibility issues with his software.

MySQL V4 is way out if its support lifecycle which is also a PCI fail.

I would point out to him that compliance is mandatory, not optional, and that there can be serious financial penalties if you are found to have been lax in its implementation and then suffer a breach.

Alex K.
  • 171,639
  • 30
  • 264
  • 288